namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"

signed-policy =
  element signed-policy {
    signed-policy.attlist,
    ((Signature, (policy-set | policy)+)
     | ((policy-set | policy)+, Signature, (policy-set | policy)*))
  }
signed-policy.attlist &= empty

policy-set =
  element policy-set {
    policy-set.attlist, target?, (policy-set | policy)*
  }
policy-set.attlist &=
  [ a:defaultValue = "deny-overrides" ]
  attribute combine {
    "deny-overrides" | "permit-overrides" | "first-matching-target"
  }?,
  attribute id { text }?

policy = element policy { policy.attlist, target?, rule* }
policy.attlist &=
  [ a:defaultValue = "deny-overrides" ]
  attribute combine {
    "deny-overrides" | "permit-overrides" | "first-applicable"
  }?,
  attribute description { text }?,
  attribute id { text }?

rule = element rule { rule.attlist, condition? }
rule.attlist &=
  [ a:defaultValue = "permit" ]
  attribute effect {
    "permit"
    | "prompt-blanket"
    | "prompt-session"
    | "prompt-oneshot"
    | "deny"
  }?

target = element target { target.attlist, subject+ }
target.attlist &= empty

subject = element subject { subject.attlist, subject-match+ }
subject.attlist &= empty

condition =
  element condition {
    condition.attlist,
    (condition | subject-match | resource-match | environment-match)+
  }
condition.attlist &=
  [ a:defaultValue = "and" ] attribute combine { "and" | "or" }?

match-attrs =
  attribute attr { text },
  attribute match { text }?,
  [ a:defaultValue = "glob" ]
  attribute func { "equal" | "glob" | "regexp" }?

subject-match = element subject-match { subject-match.attlist, text }
subject-match.attlist &= match-attrs

match-model = (text | subject-attr | resource-attr | environment-attr)*

resource-match =
  element resource-match { resource-match.attlist, match-model }
resource-match.attlist &= match-attrs

environment-match =
  element environment-match { environment-match.attlist, match-model }
environment-match.attlist &= match-attrs

attr-attrs = attribute attr { text }
subject-attr = element subject-attr { subject-attr.attlist, empty }
subject-attr.attlist &= attr-attrs
resource-attr = element resource-attr { resource-attr.attlist, empty }
resource-attr.attlist &= attr-attrs
environment-attr =
  element environment-attr { environment-attr.attlist, empty }
environment-attr.attlist &= attr-attrs

# Reference the XML Signatures DTD. We do not enforce the restriction
# that <Reference> must not contain a <Transforms> element.
include "xmldsig-core-schema.rnc"

start = signed-policy
start |= policy-set
start |= policy