1;; Minimum stuff 2(class CLASS (PERM)) 3(classorder (CLASS)) 4(sid SID) 5(sidorder (SID)) 6(user USER) 7(role ROLE) 8(type TYPE) 9(category CAT) 10(categoryorder (CAT)) 11(sensitivity SENS) 12(sensitivityorder (SENS)) 13(sensitivitycategory SENS (CAT)) 14(allow TYPE self (CLASS (PERM))) 15(roletype ROLE TYPE) 16(userrole USER ROLE) 17(userlevel USER (SENS)) 18(userrange USER ((SENS)(SENS (CAT)))) 19(sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) 20;; Extra stuff 21(common COMMON (PERM1 PERM2 PERM3 PERM4)) 22(classcommon CLASS COMMON) 23 24 25;; Tests 1 and 2 show that the order of inheritance matters 26;; 27(block b1 28 (type ta)) 29 30(block b1a 31 (block b1 32 (type tb))) 33 34(block b1b 35 (blockinherit b1) ;; Results in b1b.ta 36 (blockinherit b1a)) 37 38 39(block b2 40 (type ta)) 41 42(block b2a 43 (block b2 44 (type tb))) 45 46(block b2b 47 (blockinherit b2a) 48 (blockinherit b2)) 49 50 51;; All of these work 52(block b3a 53 (type t3a) 54 (block b 55 (type t) 56 (allow t3a t (CLASS (PERM))) 57 ) 58) 59 60(block b3b 61 (blockinherit b3a) 62) 63 64(block b3c 65 (blockinherit b3a.b) 66) 67 68(block b3d 69 (type t3a) 70 (blockinherit b3a) 71) 72 73(block b3e 74 (type t3a) 75 (blockinherit b3a.b) 76) 77 78 79;; Since block is abstract, allow rule will not be in policy 80(type t4) 81(block b4 82 (blockabstract b4) 83 (allow t4 self (CLASS (PERM))) 84) 85 86 87;; Inherting the abstract block causes the allow rule to be in the policy 88(type t5) 89(block b5 90 (blockabstract b5) 91 (allow t5 self (CLASS (PERM))) 92) 93(blockinherit b5) 94 95 96;; A sub-block can be inherited out of an abstract block 97(type t6) 98(block b6 99 (blockabstract b6) 100 (allow t6 self (CLASS (PERM1))) 101 (block b 102 (blockabstract b) 103 (allow t6 self (CLASS (PERM))) 104 ) 105) 106(blockinherit b6.b) 107 108;; 109;; Expected: 110;; 111;; Types: 112;; b1.ta, b1a.b1.tb, b1b.b1.tb, b1b.ta 113;; b2.ta, b2a.b2.tb, b2b.b2.tb, b2b.ta 114;; b3a.b.t, b3a.t3a, b3b.b.t, b3b.t3a, b3c.t, b3d.b.t, b3d.t3a, b3e.t, b3e.t3a 115;; t4 116;; t5 117;; t6 118;; 119;; Allow rules: 120;; allow b3a.t3a b3a.b.t : CLASS { PERM }; 121;; allow b3a.t3a b3c.t : CLASS { PERM }; 122;; allow b3b.t3a b3b.b.t : CLASS { PERM }; 123;; allow b3d.t3a b3d.b.t : CLASS { PERM }; 124;; allow b3e.t3a b3e.t : CLASS { PERM }; 125;; allow t5 t5 : CLASS { PERM }; 126;; allow t6 t6 : CLASS { PERM };