The include statement is very powerful. It enables a security policy file to embed another security policy file called a security policy subfile. When an include statement is encountered, the flow of control jumps to the included file. When the included file has completed execution, the flow of control returns to the statement immediately following the include statement in the original file. The following figure demonstrates this concept.
When specifying file-name, the specified file name must be either a string enclosed in quotation marks or a variable that contains a string. If a relative or absolute path is not specified, Privilege Management for Unix and Linux looks for the file in the default security policy file directory. If a relative path name is specified, it is treated as relative to the security policy file directory that is specified in the policydir setting in pb.settings.
where file-name can be a variable containing a string or a string constant enclosed in quotation marks.
include "/opt/pbul/policies/SupportStaffPolicies.conf"; include "/opt/pbul/policies/"+user+".conf";
Use stat() to verify the existence of a file before adding an include statement that calls the file. Security policy subfile specifications that contain a variable may not be checked by pbcheck when checking the including file.