2 files changed, 26 insertions, 5 deletions

diff --git a/ipaaction/ipaaction.rng b/ipaaction/ipaaction.rng
index 983786b..8500275 100644
--- a/ipaaction/ipaaction.rng
+++ b/ipaaction/ipaaction.rng
@@ -3,6 +3,7 @@
 xmlns="http://relaxng.org/ns/structure/1.0"
 datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes"
 xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0"
+xmlns:s="http://purl.oclc.org/dsdl/schematron"
 xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0">
 
   <a:documentation>IPA Actions</a:documentation>
@@ -26,6 +27,23 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0">
     <ref name="policy_metadata"/>
 
       <element name="ipaaction">
+      <s:pattern name="Only allow one file and one run element">
+        <s:rule context="ipaaction">
+          <s:assert test="count(file)&lt;=1">
+		        too many files
+          </s:assert>
+          <s:assert test="count(run)&lt;=1">
+		        too many runs
+          </s:assert>
+        </s:rule>
+      </s:pattern>
+        <optional>
+          <element name="condition">
+            <data type="string">
+              <param name="pattern">/.*</param>
+            </data>
+          </element>
+        </optional>
         <oneOrMore>
           <choice>
             <element name="file">
@@ -57,11 +75,11 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0">
                 </element>
               </optional>
               <optional>
-                <element name="condition">
-                  <data type="string">
-                    <param name="pattern">/.*</param>
-                  </data>
-                </element>
+                <oneOrMore>
+                  <element name="acl">
+                    <text/>
+                  </element>
+                </oneOrMore>
               </optional>
             </element> <!-- file -->
             <element name="run">
diff --git a/ipaaction/ipaaction_example_policy.xml b/ipaaction/ipaaction_example_policy.xml
index 7198992..e545703 100644
--- a/ipaaction/ipaaction_example_policy.xml
+++ b/ipaaction/ipaaction_example_policy.xml
@@ -16,6 +16,9 @@
       <owner>nobody</owner>
       <group>nogroup</group>
       <access>0444</access>
+      <selinux_context>unconfined_u:object_r:user_home_t:s0</selinux_context>
+      <acl>user:dummy:rw-</acl>
+      <acl>user:admin:rw-</acl>
     </file>
     <run>
       <command>/bin/rm /tmp/something.txt</command>