diff options
-rw-r--r-- | policy_metadata/xsl_md.xsl | 36 | ||||
-rw-r--r-- | policy_metadata/xsl_metadata.rng | 97 | ||||
-rw-r--r-- | sudoers/sudoers.xsl | 2 |
3 files changed, 70 insertions, 65 deletions
diff --git a/policy_metadata/xsl_md.xsl b/policy_metadata/xsl_md.xsl deleted file mode 100644 index 8178615..0000000 --- a/policy_metadata/xsl_md.xsl +++ /dev/null @@ -1,36 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- -Author: Sumit Bose <sbose@redhat.com> - -Copyright (C) 2008 Red Hat -see file 'COPYING' for use and warranty information - -This program is free software; you can redistribute it and/or modify it under -the terms of the GNU Lesser General Public License as published by the Free -Software Foundation; version 2 only - -This program is distributed in the hope that it will be useful, but WITHOUT -ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more -details. - -You should have received a copy of the GNU Lesser General Public License -along with this program; see the file COPYING.LGPL. If not, write to the -Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, -MA 02111-1307, USA. ---> -<xsl:stylesheet version="1.0" - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" - xmlns:md="http://freeipa.org/xsl/metadata/1.0"> - - <xsl:output method="xml" indent="yes"/> - <xsl:strip-space elements="*"/> - - <xsl:template match="md:output_handler"> - <xsl:copy-of select="."/> - </xsl:template> - <xsl:template match="text()"> - </xsl:template> - - -</xsl:stylesheet> diff --git a/policy_metadata/xsl_metadata.rng b/policy_metadata/xsl_metadata.rng index b5445ca..0116d81 100644 --- a/policy_metadata/xsl_metadata.rng +++ b/policy_metadata/xsl_metadata.rng @@ -26,13 +26,22 @@ xmlns:md="http://freeipa.org/xsl/metadata/1.0" xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + <a:doc>md:output_handler should be the first element after xsl:stylesheet. The + content of the stylesheet can be validated separately.</a:doc> <start ns="http://freeipa.org/xsl/metadata/1.0"> + <element> + <anyName/> + <ref name="output_handler"/> + <ref name="any"/> + </element> + </start> - <a:doc>With the md:output_handler element it is possible to define how the - policy data is processed after the XSLT transformation is applied. The idea - is that a driver program or script can access this metadata information with - a suitable XPath and can handle the output of the transformation - accordingly.</a:doc> + <a:doc>With the md:output_handler element it is possible to define how the + policy data is processed after the XSLT transformation is applied. The idea + is that a driver program or script can access this metadata information with + a suitable XPath and can handle the output of the transformation + accordingly.</a:doc> + <define name="output_handler"> <element name="md:output_handler"> <oneOrMore> <choice> @@ -67,22 +76,11 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> <ref name="selector"/> </element> - <a:doc>The following is a dummy element to catch all elements from - different namespaces, e.g. comments and documentation</a:doc> - <element> - <anyName> - <except> - <nsName/> - <nsName ns=""/> - </except> - </anyName> - <text/> - </element> - </choice> </oneOrMore> </element> - </start> + </define> + <a:doc>It is possible to generate more than one type of output for more than one output handler. To switch between different types of output a parameter @@ -100,26 +98,38 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> </optional> </define> - <a:doc></a:doc> + <a:doc>It is important that a file is created with the right access + permissions to avoid either security or usability troubles.</a:doc> <define name="file_properties"> + <a:doc>md:name, the full name of the file, is the only required + attribute.</a:doc> <attribute name="md:name"> - <text/> + <data type="string"> + <param name="pattern">/.*</param> + </data> </attribute> + <a:doc>The standard unix access control to a file is determined by its + owner, its group and the access permissions. If this attributes are missing + a sensible default should be assumes. For example owner root, group root and + 0400 permissions. You have to define either all three or none of the + attributes.</a:doc> <optional> <attribute name="md:owner"> <text/> </attribute> - </optional> - <optional> <attribute name="md:group"> <text/> </attribute> - </optional> - <optional> + <a:doc>The permission must be specified in octal mode.</a:doc> <attribute name="md:permission"> - <text/> + <data type="string"> + <param name="pattern">[0-7]{4}</param> + </data> </attribute> </optional> + <a:doc>If the client system supports SELinux you can specify the SELinux + context for the file, otherwise a sensible default will be used + (restorecon).</a:doc> <optional> <attribute name="md:selinux_context"> <text/> @@ -127,16 +137,47 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> </optional> </define> - <a:doc></a:doc> + <a:doc>To execute a process we need the full path of the file to execute, + optional some arguments and the user and group context under which the procrss + should run. If md:user and md:group are missing, the least privileges, e.g. + nobody/nogroup should be assumed.</a:doc> <define name="exec_properties"> <attribute name="md:command"> - </text> + <data type="string"> + <param name="pattern">/.*</param> + </data> </attribute> <optional> <attribute name="md:arguments"> - </text> + <text/> + </attribute> + </optional> + <optional> + <attribute name="md:user"> + <text/> + </attribute> + <attribute name="md:group"> + <text/> </attribute> </optional> </define> + <a:doc>The following is a dummy element to catch all elements from + different namespaces, e.g. comments and documentation</a:doc> + <define name="any"> + <zeroOrMore> + <choice> + <attribute> + <anyName/> + </attribute> + <text/> + <element> + <anyName/> + <ref name="any"/> + </element> + </choice> + </zeroOrMore> + </define> + + </grammar> diff --git a/sudoers/sudoers.xsl b/sudoers/sudoers.xsl index 577ccf8..70e4cc4 100644 --- a/sudoers/sudoers.xsl +++ b/sudoers/sudoers.xsl @@ -27,7 +27,7 @@ MA 02111-1307, USA. xmlns:sudoers="http://freeipa.org/xml/rng/sudo/1.0"> <md:output_handler> - <md:file md:name="/etc/sudoers" md:owner="root" md:group="root" md:permission="440"/> + <md:file md:name="/etc/sudoers" md:owner="root" md:group="root" md:permission="0440"/> </md:output_handler> <xsl:output method="text" indent="no"/> |