md:output_handler should be the first element after xsl:stylesheet. The
content of the stylesheet can be validated separately.
With the md:output_handler element it is possible to define how the
policy data is processed after the XSLT transformation is applied. The idea
is that a driver program or script can access this metadata information with
a suitable XPath and can handle the output of the transformation
accordingly.
md:file is the typical output handler for IPA config policies.
The driver program will created a file and write the output of the
transformation to this this or merge with the content of the local
file depending on the information provided by the policy.
The md:exec_with_args will use a line of the output of the
transformation a command line argument of a program.
The result of the XSLT transformation will be piped by the
driver to stdin of another program when using
md:exec_with_stdin_pipe.
Maybe we will have a separate output handler to write to the
client's ldb.
It is possible to generate more than one type of output for more than
one output handler. To switch between different types of output a parameter
with different values can be used. The driver program can access the name of
the parameter (md:param_name) and the value (md:param_value) of the current
output handler with suitable XPath statements.
It is important that a file is created with the right access
permissions to avoid either security or usability troubles.
md:name, the full name of the file, is the only required
attribute.
/.*
The standard unix access control to a file is determined by its
owner, its group and the access permissions. If this attributes are missing
a sensible default should be assumes. For example owner root, group root and
0400 permissions. You have to define either all three or none of the
attributes.
The permission must be specified in octal mode.
[0-7]{4}
If the client system supports SELinux you can specify the SELinux
context for the file, otherwise a sensible default will be used
(restorecon).
To execute a process we need the full path of the file to execute,
optional some arguments and the user and group context under which the procrss
should run. If md:user and md:group are missing, the least privileges, e.g.
nobody/nogroup should be assumed.
/.*
The following is a dummy element to catch all elements from
different namespaces, e.g. comments and documentation