diff options
Diffstat (limited to 'ipaaction')
-rw-r--r-- | ipaaction/ipaaction.rng | 28 | ||||
-rw-r--r-- | ipaaction/ipaaction_example_policy.xml | 3 |
2 files changed, 26 insertions, 5 deletions
diff --git a/ipaaction/ipaaction.rng b/ipaaction/ipaaction.rng index 983786b..8500275 100644 --- a/ipaaction/ipaaction.rng +++ b/ipaaction/ipaaction.rng @@ -3,6 +3,7 @@ xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" +xmlns:s="http://purl.oclc.org/dsdl/schematron" xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> <a:documentation>IPA Actions</a:documentation> @@ -26,6 +27,23 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> <ref name="policy_metadata"/> <element name="ipaaction"> + <s:pattern name="Only allow one file and one run element"> + <s:rule context="ipaaction"> + <s:assert test="count(file)<=1"> + too many files + </s:assert> + <s:assert test="count(run)<=1"> + too many runs + </s:assert> + </s:rule> + </s:pattern> + <optional> + <element name="condition"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + </optional> <oneOrMore> <choice> <element name="file"> @@ -57,11 +75,11 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> </element> </optional> <optional> - <element name="condition"> - <data type="string"> - <param name="pattern">/.*</param> - </data> - </element> + <oneOrMore> + <element name="acl"> + <text/> + </element> + </oneOrMore> </optional> </element> <!-- file --> <element name="run"> diff --git a/ipaaction/ipaaction_example_policy.xml b/ipaaction/ipaaction_example_policy.xml index 7198992..e545703 100644 --- a/ipaaction/ipaaction_example_policy.xml +++ b/ipaaction/ipaaction_example_policy.xml @@ -16,6 +16,9 @@ <owner>nobody</owner> <group>nogroup</group> <access>0444</access> + <selinux_context>unconfined_u:object_r:user_home_t:s0</selinux_context> + <acl>user:dummy:rw-</acl> + <acl>user:admin:rw-</acl> </file> <run> <command>/bin/rm /tmp/something.txt</command> |