# Last Modified: Fri Apr  1 16:26:34 2016
# Mode: {{aa_profile_mode}}
#include <tunables/global>

/usr/bin/neutron-lbaasv2-agent flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/python>
  #include <abstractions/nameservice>
  #include <abstractions/bash>

  /usr/bin/neutron-lbaas-agent r,

  /sbin/ldconfig* rix,

  /bin/ r,
  /bin/** rix,
  /usr/bin/ r,
  /usr/bin/** rix,

  /etc/neutron/** r,
  /etc/magic r,
  /etc/mime.types r,
  /var/lib/neutron/** rwk,
  /var/log/neutron/** rwk,
  /{,var/}run/neutron/** rwk,
  /{,var/}run/lock/neutron/** rwk,

  /usr/share/file/magic.mgc r,
  /usr/share/file/magic/ r,

  # Allow unconfined sudo to support oslo.rootwrap
  # profile makes no attempt to restrict this as this
  # is limited by the appropriate rootwrap configuration.
  /usr/bin/sudo Ux,

  # Allow ip to run unrestricted for unpriviledged commands
  /{,s}bin/ip Ux,

  /tmp/* rw,
  /tmp/** rw,
  /var/tmp/* a,

  # Required for parsing of managed process cmdline arguments
  /proc/*/cmdline r,

  # Required for assessment of current state of networking
  /proc/sys/net/** r,

  /proc/version r,

  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/status r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/ns/net r,
  # Allow subprocess stat for management of haproxy instances
  # which are owned by 'nobody'
  @{PROC}/*/stat r,
}