AppArmor policy update for os-brick and iSCSI
In iSCSI usecases including cinder-lvm, os-brick requires lock files
such as:
- /run/lock/nova/os-brick-connect_volume
- /run/lock/nova/os-brick-connect_to_iscsi_portal-192.168.0.1
and lsscsi requires following access to compose a rescan command such as
"/sys/bus/scsi/drivers/sd/2:0:0:0/rescan":
- /dev/
- /sys/bus/scsi/devices/
Closes-Bug: #1979812
Related-Bug: #1939390
Change-Id: Id2db3a70b8d1287bda006f1bbc5442038f7070f1
(cherry picked from commit cf0f464391
)
This commit is contained in:
parent
64d8b2e142
commit
c16a9aedab
|
@ -31,6 +31,7 @@
|
||||||
deny /* w,
|
deny /* w,
|
||||||
|
|
||||||
/bin/* rix,
|
/bin/* rix,
|
||||||
|
/dev/ r,
|
||||||
/dev/disk/** r,
|
/dev/disk/** r,
|
||||||
/dev/disk/by-id/* r,
|
/dev/disk/by-id/* r,
|
||||||
/dev/mapper/control wr,
|
/dev/mapper/control wr,
|
||||||
|
@ -74,7 +75,7 @@
|
||||||
/run/libvirt/libvirt-sock rw,
|
/run/libvirt/libvirt-sock rw,
|
||||||
/run/lock/iscsi/ rw,
|
/run/lock/iscsi/ rw,
|
||||||
/run/lock/iscsi/** rwl,
|
/run/lock/iscsi/** rwl,
|
||||||
/run/lock/nova/nova-iptables wk,
|
/run/lock/nova/* wk,
|
||||||
/run/lock/qemu-nbd-nbd* w,
|
/run/lock/qemu-nbd-nbd* w,
|
||||||
/run/openvswitch/db.sock rw,
|
/run/openvswitch/db.sock rw,
|
||||||
/run/uuidd/request rw,
|
/run/uuidd/request rw,
|
||||||
|
@ -93,6 +94,7 @@
|
||||||
/{usr/,}sbin/e2label rix,
|
/{usr/,}sbin/e2label rix,
|
||||||
/{usr/,}sbin/tune2fs rix,
|
/{usr/,}sbin/tune2fs rix,
|
||||||
/sys/block/ r,
|
/sys/block/ r,
|
||||||
|
/sys/bus/scsi/devices/ r,
|
||||||
/sys/class/fc_host/{,**} r,
|
/sys/class/fc_host/{,**} r,
|
||||||
/sys/class/iscsi_host/ r,
|
/sys/class/iscsi_host/ r,
|
||||||
/sys/class/iscsi_session/ r,
|
/sys/class/iscsi_session/ r,
|
||||||
|
|
Loading…
Reference in New Issue