diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -891,7 +891,7 @@
 		goto einval;
 	}
 
-	from_id = strsep_noblanks(&rule, ":");
+	from_id = strsep_noblanks(&rule, ":>");
 	if (is_null_or_empty(from_id)) {
 		make_parse_error(parse_error, 0, "No ID specified.");
 		goto einval;
@@ -991,8 +991,9 @@
  * to point to a 'struct parse_error' giving an error message for the problem,
  * else '*parse_error' is set to NULL.
  *
- * Expected format: A semi-colon-separated list of rules of the form
- * "<from>:<target>".  The <from> part is of the form "<type>=<id>" where <type>
+ * Expected format: A >-colon-separated list of rules of the form
+ * "<from>><target>" (for backwards compatibility, a semi-colon ":" is accepted
+ * in place of '>').  The <from> part is of the form "<type>=<id>" where <type>
  * is "uid" or "gid", <id> an UID or GID (depending on <type>) and <target> is
  * "*", "any" or a comma-separated list of '<flags><type>=<id>' clauses (see the
  * comment for parse_single_rule() for more details).  For convenience, empty
@@ -1002,8 +1003,8 @@
  * allowed between '<flags>' and '<type>').
  *
  * Examples:
- * - "uid=1001:uid=1010,gid=1010;uid=1002:any"
- * - "gid=1010:gid=1011,gid=1012,gid=1013"
+ * - "uid=1001>uid=1010,gid=1010;uid=1002>any"
+ * - "gid=1010>gid=1011,gid=1012,gid=1013"
  */
 static int
 parse_rules(const char *const string, struct rules **const rulesp,