a59b4d606f
Apparmor profiles were limiting queens deployments of neutron-gateway when aa-profile-mode was set to enforce. It led to failed instance deployments due to neutron agents failing to execute their necessary functions. This change updates the profiles to be Queens ready. Closes-Bug: #1761536 Change-Id: I2e08a2de9e4ae8139ab8e4be131631883652d029
53 lines
1.2 KiB
Plaintext
53 lines
1.2 KiB
Plaintext
# Last Modified: Fri Apr 1 16:26:34 2016
|
|
# Mode: {{aa_profile_mode}}
|
|
#include <tunables/global>
|
|
|
|
/usr/bin/nova-metadata-api {
|
|
#include <abstractions/base>
|
|
#include <abstractions/python>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/bash>
|
|
|
|
/usr/bin/nova-metadata-api r,
|
|
|
|
/sbin/ldconfig* rix,
|
|
|
|
/{,usr/}bin/ r,
|
|
/{,usr/}bin/** rix,
|
|
|
|
/etc/nova/** r,
|
|
/var/lib/nova/** rwk,
|
|
/var/log/nova/** rwk,
|
|
/{,var/}run/nova/** rwk,
|
|
/{,var/}run/lock/nova/** rwk,
|
|
|
|
# Allow unconfined sudo to support oslo.rootwrap
|
|
# profile makes no attempt to restrict this as this
|
|
# is limited by the appropriate rootwrap configuration.
|
|
/usr/bin/sudo Ux,
|
|
|
|
# Allow ip to run unrestricted for unpriviledged commands
|
|
/{,s}bin/ip Ux,
|
|
|
|
/tmp/* rw,
|
|
/tmp/** rw,
|
|
/var/tmp/* a,
|
|
|
|
# Required for parsing of managed process cmdline arguments
|
|
/proc/*/cmdline r,
|
|
|
|
# Required for assessment of current state of networking
|
|
/proc/sys/net/** r,
|
|
|
|
{% if ubuntu_release <= '12.04' %}
|
|
/proc/*/mounts r,
|
|
/proc/*/status r,
|
|
/proc/*/ns/net r,
|
|
{% else %}
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/status r,
|
|
owner @{PROC}/@{pid}/stat r,
|
|
owner @{PROC}/@{pid}/ns/net r,
|
|
{% endif %}
|
|
}
|