From Fedora Project Wiki

No edit summary
No edit summary
Line 16: Line 16:
can be repeated zero or more times. Items with a + after them can be repeated
can be repeated zero or more times. Items with a + after them can be repeated
one or more times. Parenthesis are used to group items that can
one or more times. Parenthesis are used to group items that can
be repeated.
be repeated. Vertical lines | are used to indicate alternatives.


A file must contain either a ''base_policy'' or a ''module_policy''.
A file must contain either a ''base_policy'' or a ''module_policy''.


''module_policy'' = '''module''' '''''<identifier>''''' '''''<version_identifier>''''' '';''  ''avrule_decl''+ user_def*
''module_policy'' = '''module''' '''''<identifier>''''' '''''<version_identifier>''''' '';''  ''avrule_decl''+ user_def*
''avrule_decl'' = ''rbac_decl'' | ''te_decl'' | ''cond_stmt_decl'' |  ''require_block'' | ''optional_block'' | ''';'''

Revision as of 13:07, 17 October 2008

This is my attempt at documenting the policy grammar that is accepted by checkpolicy.

Comments start with a # character and continue to the end of the line.

Keywords can be in all uppercase or all lowercase.

Convention followed in this document: Italics are used for syntax categories. Items in bold are literal, they must appear in the policy file exactly as written. Items in bold italics are used for things that can be replaced by some user specified text. They will also be surrounded with < and > signs to make them clearly different from keywords.

Any item in [ square brackets ] is an optional item. Items with a * after them can be repeated zero or more times. Items with a + after them can be repeated one or more times. Parenthesis are used to group items that can be repeated. Vertical lines | are used to indicate alternatives.

A file must contain either a base_policy or a module_policy.

module_policy = module <identifier> <version_identifier> ; avrule_decl+ user_def*

avrule_decl = rbac_decl | te_decl | cond_stmt_decl | require_block | optional_block | ;