charm-neutron-gateway/templates/usr.bin.neutron-l3-agent

# Last Modified: Fri Apr  1 16:26:34 2016
# Mode: {{aa_profile_mode}}
#include <tunables/global>

/usr/bin/neutron-l3-agent {
  #include <abstractions/base>
  #include <abstractions/python>
  #include <abstractions/nameservice>
  #include <abstractions/bash>

  /usr/bin/neutron-l3-agent r,

  /usr/sbin/keepalived rix,

  /sbin/ldconfig* rix,

  /{,usr/}bin/ r,
  /{,usr/}bin/** rix,

  /etc/neutron/** r,
  /etc/magic r,
  /etc/mime.types r,
  /var/lib/neutron/** rwk,
  /var/log/neutron/** rwk,
  /{,var/}run/neutron/** rwk,
  /{,var/}run/lock/neutron/** rwk,
  /run/uuidd/request rw,

  /usr/share/file/magic.mgc r,
  /usr/share/file/magic/ r,

  # Allow unconfined sudo to support oslo.rootwrap
  # profile makes no attempt to restrict this as this
  # is limited by the appropriate rootwrap configuration.
  /usr/bin/sudo Ux,

  # Allow ip to run unrestricted for unpriviledged commands
  /{,s}bin/ip Ux,

  /tmp/* rw,
  /tmp/** rw,
  /var/tmp/* a,

  # Required for parsing of managed process cmdline arguments
  /proc/*/cmdline r,

  # Required for assessment of current state of networking
  /proc/sys/net/** r,

  /proc/version r,

  # neutron-dhcp-agent needs to keep track of ns-metadata-proxy processes
  /proc/*/stat r,

{% if ubuntu_release <= '12.04' %}
  /proc/*/mounts r,
  /proc/*/status r,
  /proc/*/ns/net r,
{% else %}
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/status r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/ns/net r,
{% endif %}
}