173 lines
4.3 KiB
Plaintext
173 lines
4.3 KiB
Plaintext
# Last Modified: Thu Mar 3 11:41:53 2022
|
|
# Mode: {{aa_profile_mode}}
|
|
#include <tunables/global>
|
|
|
|
/usr/bin/nova-compute {
|
|
#include <abstractions/authentication>
|
|
#include <abstractions/base>
|
|
#include <abstractions/bash>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/python>
|
|
#include <abstractions/wutmp>
|
|
|
|
capability audit_write,
|
|
capability chown,
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability fowner,
|
|
capability net_admin,
|
|
capability net_raw,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_admin,
|
|
capability sys_resource,
|
|
capability sys_module,
|
|
|
|
network inet raw,
|
|
network inet stream,
|
|
network unix stream,
|
|
network netlink dgram,
|
|
|
|
deny /* w,
|
|
|
|
/bin/* rix,
|
|
/dev/ r,
|
|
/dev/disk/** r,
|
|
/dev/disk/by-id/* r,
|
|
/dev/mapper/control wr,
|
|
/dev/nbd* rw,
|
|
/dev/tty rw,
|
|
/dev/pts/* r,
|
|
/dev/sd* r,
|
|
/etc/default/locale r,
|
|
/etc/environment r,
|
|
/etc/iscsi/** rw,
|
|
/etc/machine-id r,
|
|
/etc/mime.types r,
|
|
/etc/modprobe.d/ r,
|
|
/etc/modprobe.d/** r,
|
|
/etc/mtab rw,
|
|
/etc/multipath.conf r,
|
|
/etc/multipath/bindings wrk,
|
|
/etc/multipath/wwids wrk,
|
|
/etc/nova/** r,
|
|
/etc/qemu/firmware/{,**} r,
|
|
/etc/ssh/ssh_config r,
|
|
/etc/ssh/ssh_config.d/ r,
|
|
/etc/ssh/ssh_config.d/* r,
|
|
/etc/ssl/openssl.cnf r,
|
|
/etc/sudo.conf r,
|
|
/etc/sudoers r,
|
|
/etc/sudoers.d/ r,
|
|
/etc/sudoers.d/* r,
|
|
/etc/udev/udev.conf r,
|
|
/proc/*/cmdline r,
|
|
/proc/cmdline r,
|
|
/proc/devices r,
|
|
/proc/sys/fs/nr_open r,
|
|
/proc/sys/kernel/osrelease r,
|
|
/proc/sys/net/ipv6/conf/** w,
|
|
/proc/*/task/*/comm wr,
|
|
/proc/*/fd/ r,
|
|
/proc/*/limits r,
|
|
/proc/*/net/ip_tables_names r,
|
|
/proc/*/net/psched r,
|
|
/proc/*/stat r,
|
|
/proc/@{pid}/mountinfo r,
|
|
/proc/uptime r,
|
|
/proc/version r,
|
|
/proc/loadavg r,
|
|
/run/libvirt/libvirt-sock rw,
|
|
/run/lock/iscsi/ rw,
|
|
/run/lock/iscsi/** rwl,
|
|
/run/lock/nova/* wk,
|
|
/run/lock/qemu-nbd-nbd* w,
|
|
/run/openvswitch/db.sock rw,
|
|
/run/uuidd/request rw,
|
|
/{usr/,}sbin/blockdev rix,
|
|
/{usr/,}sbin/brctl rix,
|
|
/{usr/,}sbin/iscsiadm rix,
|
|
/{usr/,}sbin/ldconfig rix,
|
|
/{usr/,}sbin/ldconfig.real rix,
|
|
/{usr/,}sbin/mkfs rix,
|
|
/{usr/,}sbin/mkfs.fat rix,
|
|
/{usr/,}sbin/mkfs.ext4 rix,
|
|
/{usr/,}sbin/mkfs.ext3 rix,
|
|
/{usr/,}sbin/mkfs.ext2 rix,
|
|
/{usr/,}sbin/mkfs.xfs rix,
|
|
/{usr/,}sbin/mkfs.ntfs rix,
|
|
/{usr/,}sbin/mke2fs rix,
|
|
/{usr/,}sbin/hdparm rix,
|
|
/{usr/,}sbin/xtables-multi rix,
|
|
/{usr/,}sbin/mkswap rix,
|
|
/{usr/,}sbin/multipath rix,
|
|
/{usr/,}sbin/multipathd rix,
|
|
/{usr/,}sbin/e2label rix,
|
|
/{usr/,}sbin/tune2fs rix,
|
|
/sys/block/ r,
|
|
/sys/bus/scsi/devices/ r,
|
|
/sys/class/fc_host/{,**} r,
|
|
/sys/class/iscsi_host/ r,
|
|
/sys/class/iscsi_session/ r,
|
|
/sys/class/iscsi_transport/ r,
|
|
/sys/class/net/ r,
|
|
/sys/class/scsi_host/ r,
|
|
/sys/devices/pci*/** r,
|
|
/sys/devices/pci/** r,
|
|
/sys/devices/pci*/**/create rw,
|
|
/sys/devices/pci*/**/scan rw,
|
|
/sys/devices/pci*/**/delete rw,
|
|
/sys/devices/platform/** rw,
|
|
/sys/devices/system/cpu/ r,
|
|
/sys/devices/system/cpu/** r,
|
|
/sys/devices/system/node/ r,
|
|
/sys/devices/system/node/** r,
|
|
/sys/devices/virtual/block/dm*/ r,
|
|
/sys/devices/virtual/block/dm*/** r,
|
|
/sys/devices/virtual/block/nbd*/ r,
|
|
/sys/devices/virtual/iscsi_transport/** r,
|
|
/sys/devices/virtual/net/** rw,
|
|
/sys/module/kvm_amd/parameters/sev r,
|
|
/sys/module/scsi_transport_iscsi/** r,
|
|
/sys/module/libiscsi/** r,
|
|
/sys/module/libiscsi_tcp/** r,
|
|
/sys/module/iscsi_tcp/** r,
|
|
/tmp/{,**} rw,
|
|
/{usr/,}lib/udev/scsi_id PUx,
|
|
/usr/bin/ r,
|
|
/usr/bin/* rix,
|
|
/usr/libexec/sudo/* rm,
|
|
/usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix,
|
|
/usr/lib{,32,64}/** mrw,
|
|
/usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
|
|
/usr/share/qemu/firmware/{,**} r,
|
|
/var/lib/contrail/ports/* rw,
|
|
/var/lib/nova/ r,
|
|
/var/lib/nova/** rwk,
|
|
{% if virt_type == 'lxd' %}
|
|
/var/lib/lxd/unix.socket rw,
|
|
{% endif %}
|
|
/var/log/nova/nova-compute.log w,
|
|
/var/log/nova/privsep-helper.log w,
|
|
/var/run/libvirt/* rw,
|
|
/var/run/libvirt/libvirt-sock rw,
|
|
/var/run/openvswitch/db.sock rw,
|
|
/var/tmp/{,**} rw,
|
|
{% if ubuntu_release <= '12.04' %}
|
|
/proc/*/mounts r,
|
|
/proc/*/status r,
|
|
{% else %}
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/status r,
|
|
{% endif %}
|
|
/var/lib/charm/*/ceph.conf r,
|
|
/etc/ceph/* r,
|
|
/dev/net/tun rw,
|
|
/etc/magic r,
|
|
/sys/devices/virtual/dmi/** r,
|
|
/usr/sbin/dmidecode rix,
|
|
/usr/sbin/blkid rix,
|
|
/usr/sbin/nvme rix,
|
|
/etc/nvme/hostnqn r,
|
|
}
|