Add ceph paths to usr.bin.nova-compute aa profile

The current profile does not include ceph paths which breaks nova-compute if libvirt-image-backend=rbd when in enforce mode. Also fix access to /tmp and /var/tmp. Change-Id: Ie03a43ef73ca5f97f4f9e5edcefd261a0e36abf9 Closes-Bug: 1732492
2017-11-15 18:04:00 +00:00 · 2017-11-15 18:04:00 +00:00 · 0423eae1df
commit 0423eae1df
parent 84c840227f
1 changed files with 4 additions and 4 deletions
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -70,9 +70,7 @@
  /sys/devices/system/node/** r,
  /sys/devices/virtual/block/nbd*/ r,
  /sys/devices/virtual/net/** w,
-  /tmp/* rw,
-  /tmp/*/ rw,
-  /tmp/** rw,
+  /tmp/{,**} rw,
  /usr/bin/ r,
  /usr/bin/* rix,
  /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix,
@ -87,7 +85,7 @@
  /var/run/libvirt/* rw,
  /var/run/libvirt/libvirt-sock rw,
  /var/run/openvswitch/db.sock rw,
-  /var/tmp/* w,
+  /var/tmp/{,**} rw,
 {% if ubuntu_release <= '12.04' %}
  /proc/*/mounts r,
  /proc/*/status r,
@ -95,4 +93,6 @@
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/status r,
 {% endif %}
+  /var/lib/charm/*/ceph.conf r,
+  /etc/ceph/* r,
 }