From 0423eae1dfd1e4d4f232cf5a2f58553a64f4b257 Mon Sep 17 00:00:00 2001
From: Edward Hope-Morley <edward.hope-morley@canonical.com>
Date: Wed, 15 Nov 2017 18:04:00 +0000
Subject: [PATCH] Add ceph paths to usr.bin.nova-compute aa profile

The current profile does not include ceph paths
which breaks nova-compute if
libvirt-image-backend=rbd when in enforce mode.
Also fix access to /tmp and /var/tmp.

Change-Id: Ie03a43ef73ca5f97f4f9e5edcefd261a0e36abf9
Closes-Bug: 1732492
---
 templates/usr.bin.nova-compute | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute
index bcce2f73..e9abbda2 100644
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@@ -70,9 +70,7 @@
   /sys/devices/system/node/** r,
   /sys/devices/virtual/block/nbd*/ r,
   /sys/devices/virtual/net/** w,
-  /tmp/* rw,
-  /tmp/*/ rw,
-  /tmp/** rw,
+  /tmp/{,**} rw,
   /usr/bin/ r,
   /usr/bin/* rix,
   /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix,
@@ -87,7 +85,7 @@
   /var/run/libvirt/* rw,
   /var/run/libvirt/libvirt-sock rw,
   /var/run/openvswitch/db.sock rw,
-  /var/tmp/* w,
+  /var/tmp/{,**} rw,
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,
@@ -95,4 +93,6 @@
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/status r,
 {% endif %}
+  /var/lib/charm/*/ceph.conf r,
+  /etc/ceph/* r,
 }