6e3e557a0a
Ensure that profiles are correctly applied in network namespace using profile flag. Allow lbaasv2 agent binary to read /proc/*/stat to support monitoring of haproxy instances. Change-Id: Ifc3388e894db998bfad8e5998a02120222d9e3ae Closes-Bug: 1770040
59 lines
1.4 KiB
Plaintext
59 lines
1.4 KiB
Plaintext
# Last Modified: Fri Apr 1 16:26:34 2016
|
|
# Mode: {{aa_profile_mode}}
|
|
#include <tunables/global>
|
|
|
|
/usr/bin/neutron-lbaasv2-agent flags=(attach_disconnected) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/python>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/bash>
|
|
|
|
/usr/bin/neutron-lbaas-agent r,
|
|
|
|
/sbin/ldconfig* rix,
|
|
|
|
/bin/ r,
|
|
/bin/** rix,
|
|
/usr/bin/ r,
|
|
/usr/bin/** rix,
|
|
|
|
/etc/neutron/** r,
|
|
/etc/magic r,
|
|
/etc/mime.types r,
|
|
/var/lib/neutron/** rwk,
|
|
/var/log/neutron/** rwk,
|
|
/{,var/}run/neutron/** rwk,
|
|
/{,var/}run/lock/neutron/** rwk,
|
|
|
|
/usr/share/file/magic.mgc r,
|
|
/usr/share/file/magic/ r,
|
|
|
|
# Allow unconfined sudo to support oslo.rootwrap
|
|
# profile makes no attempt to restrict this as this
|
|
# is limited by the appropriate rootwrap configuration.
|
|
/usr/bin/sudo Ux,
|
|
|
|
# Allow ip to run unrestricted for unpriviledged commands
|
|
/{,s}bin/ip Ux,
|
|
|
|
/tmp/* rw,
|
|
/tmp/** rw,
|
|
/var/tmp/* a,
|
|
|
|
# Required for parsing of managed process cmdline arguments
|
|
/proc/*/cmdline r,
|
|
|
|
# Required for assessment of current state of networking
|
|
/proc/sys/net/** r,
|
|
|
|
/proc/version r,
|
|
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/status r,
|
|
owner @{PROC}/@{pid}/stat r,
|
|
owner @{PROC}/@{pid}/ns/net r,
|
|
# Allow subprocess stat for management of haproxy instances
|
|
# which are owned by 'nobody'
|
|
@{PROC}/*/stat r,
|
|
}
|