diff options
author | Sumit Bose <sbose@nb.localdomain> | 2008-11-04 20:29:31 +0100 |
---|---|---|
committer | Sumit Bose <sbose@nb.localdomain> | 2008-11-04 20:29:31 +0100 |
commit | 902dbd52745dfba1210fd8acb0e89088bdc7d91f (patch) | |
tree | 37bc78fd3985708b1b7473eab39d5d2a947358df /policy_metadata/xsl_metadata.rng | |
parent | cdcea0736bee3294e14dcf0f88321c6400948c5d (diff) | |
download | ipa_policy-902dbd52745dfba1210fd8acb0e89088bdc7d91f.tar.gz ipa_policy-902dbd52745dfba1210fd8acb0e89088bdc7d91f.tar.xz ipa_policy-902dbd52745dfba1210fd8acb0e89088bdc7d91f.zip |
finished xsl metadata validation
Diffstat (limited to 'policy_metadata/xsl_metadata.rng')
-rw-r--r-- | policy_metadata/xsl_metadata.rng | 97 |
1 files changed, 69 insertions, 28 deletions
diff --git a/policy_metadata/xsl_metadata.rng b/policy_metadata/xsl_metadata.rng index b5445ca..0116d81 100644 --- a/policy_metadata/xsl_metadata.rng +++ b/policy_metadata/xsl_metadata.rng @@ -26,13 +26,22 @@ xmlns:md="http://freeipa.org/xsl/metadata/1.0" xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + <a:doc>md:output_handler should be the first element after xsl:stylesheet. The + content of the stylesheet can be validated separately.</a:doc> <start ns="http://freeipa.org/xsl/metadata/1.0"> + <element> + <anyName/> + <ref name="output_handler"/> + <ref name="any"/> + </element> + </start> - <a:doc>With the md:output_handler element it is possible to define how the - policy data is processed after the XSLT transformation is applied. The idea - is that a driver program or script can access this metadata information with - a suitable XPath and can handle the output of the transformation - accordingly.</a:doc> + <a:doc>With the md:output_handler element it is possible to define how the + policy data is processed after the XSLT transformation is applied. The idea + is that a driver program or script can access this metadata information with + a suitable XPath and can handle the output of the transformation + accordingly.</a:doc> + <define name="output_handler"> <element name="md:output_handler"> <oneOrMore> <choice> @@ -67,22 +76,11 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> <ref name="selector"/> </element> - <a:doc>The following is a dummy element to catch all elements from - different namespaces, e.g. comments and documentation</a:doc> - <element> - <anyName> - <except> - <nsName/> - <nsName ns=""/> - </except> - </anyName> - <text/> - </element> - </choice> </oneOrMore> </element> - </start> + </define> + <a:doc>It is possible to generate more than one type of output for more than one output handler. To switch between different types of output a parameter @@ -100,26 +98,38 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> </optional> </define> - <a:doc></a:doc> + <a:doc>It is important that a file is created with the right access + permissions to avoid either security or usability troubles.</a:doc> <define name="file_properties"> + <a:doc>md:name, the full name of the file, is the only required + attribute.</a:doc> <attribute name="md:name"> - <text/> + <data type="string"> + <param name="pattern">/.*</param> + </data> </attribute> + <a:doc>The standard unix access control to a file is determined by its + owner, its group and the access permissions. If this attributes are missing + a sensible default should be assumes. For example owner root, group root and + 0400 permissions. You have to define either all three or none of the + attributes.</a:doc> <optional> <attribute name="md:owner"> <text/> </attribute> - </optional> - <optional> <attribute name="md:group"> <text/> </attribute> - </optional> - <optional> + <a:doc>The permission must be specified in octal mode.</a:doc> <attribute name="md:permission"> - <text/> + <data type="string"> + <param name="pattern">[0-7]{4}</param> + </data> </attribute> </optional> + <a:doc>If the client system supports SELinux you can specify the SELinux + context for the file, otherwise a sensible default will be used + (restorecon).</a:doc> <optional> <attribute name="md:selinux_context"> <text/> @@ -127,16 +137,47 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> </optional> </define> - <a:doc></a:doc> + <a:doc>To execute a process we need the full path of the file to execute, + optional some arguments and the user and group context under which the procrss + should run. If md:user and md:group are missing, the least privileges, e.g. + nobody/nogroup should be assumed.</a:doc> <define name="exec_properties"> <attribute name="md:command"> - </text> + <data type="string"> + <param name="pattern">/.*</param> + </data> </attribute> <optional> <attribute name="md:arguments"> - </text> + <text/> + </attribute> + </optional> + <optional> + <attribute name="md:user"> + <text/> + </attribute> + <attribute name="md:group"> + <text/> </attribute> </optional> </define> + <a:doc>The following is a dummy element to catch all elements from + different namespaces, e.g. comments and documentation</a:doc> + <define name="any"> + <zeroOrMore> + <choice> + <attribute> + <anyName/> + </attribute> + <text/> + <element> + <anyName/> + <ref name="any"/> + </element> + </choice> + </zeroOrMore> + </define> + + </grammar> |