1;; Minimum stuff
2(class CLASS (PERM))
3(classorder (CLASS))
4(sid SID)
5(sidorder (SID))
6(user USER)
7(role ROLE)
8(type TYPE)
9(category CAT)
10(categoryorder (CAT))
11(sensitivity SENS)
12(sensitivityorder (SENS))
13(sensitivitycategory SENS (CAT))
14(allow TYPE self (CLASS (PERM)))
15(roletype ROLE TYPE)
16(userrole USER ROLE)
17(userlevel USER (SENS))
18(userrange USER ((SENS)(SENS (CAT))))
19(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
20;; Extra stuff
21(common COMMON (PERM1 PERM2 PERM3 PERM4))
22(classcommon CLASS COMMON)
23
24
25;; Tests 1 and 2 show that the order of inheritance matters
26;;
27(block b1
28  (type ta))
29
30(block b1a
31  (block b1
32    (type tb)))
33
34(block b1b
35  (blockinherit b1)   ;; Results in b1b.ta
36  (blockinherit b1a))
37
38
39(block b2
40  (type ta))
41
42(block b2a
43  (block b2
44    (type tb)))
45
46(block b2b
47  (blockinherit b2a)
48  (blockinherit b2))
49
50
51;; All of these work
52(block b3a
53  (type t3a)
54  (block b
55    (type t)
56    (allow t3a t (CLASS (PERM)))
57  )
58)
59
60(block b3b
61  (blockinherit b3a)
62)
63
64(block b3c
65  (blockinherit b3a.b)
66)
67
68(block b3d
69  (type t3a)
70  (blockinherit b3a)
71)
72
73(block b3e
74  (type t3a)
75  (blockinherit b3a.b)
76)
77
78
79;; Since block is abstract, allow rule will not be in policy
80(type t4)
81(block b4
82  (blockabstract b4)
83  (allow t4 self (CLASS (PERM)))
84)
85
86
87;; Inherting the abstract block causes the allow rule to be in the policy
88(type t5)
89(block b5
90  (blockabstract b5)
91  (allow t5 self (CLASS (PERM)))
92)
93(blockinherit b5)
94
95
96;; A sub-block can be inherited out of an abstract block
97(type t6)
98(block b6
99  (blockabstract b6)
100  (allow t6 self (CLASS (PERM1)))
101  (block b
102    (blockabstract b)
103    (allow t6 self (CLASS (PERM)))
104  )
105)
106(blockinherit b6.b)
107
108;;
109;; Expected:
110;;
111;; Types:
112;;   b1.ta, b1a.b1.tb, b1b.b1.tb, b1b.ta
113;;   b2.ta, b2a.b2.tb, b2b.b2.tb, b2b.ta
114;;   b3a.b.t, b3a.t3a, b3b.b.t, b3b.t3a, b3c.t, b3d.b.t, b3d.t3a, b3e.t, b3e.t3a
115;;   t4
116;;   t5
117;;   t6
118;;
119;; Allow rules:
120;;   allow b3a.t3a b3a.b.t : CLASS { PERM };
121;;   allow b3a.t3a b3c.t : CLASS { PERM };
122;;   allow b3b.t3a b3b.b.t : CLASS { PERM };
123;;   allow b3d.t3a b3d.b.t : CLASS { PERM };
124;;   allow b3e.t3a b3e.t : CLASS { PERM };
125;;   allow t5 t5 : CLASS { PERM };
126;;   allow t6 t6 : CLASS { PERM };