f2eb3bf2ec
Fixes to nova-network and nova-api service restarts Charm helpers sync to bring in the AppArmorContext class Create specific service ApiAppArmorContexts Add service specific templates for apparmor profiles Add aa-profile-mode in config.yaml Apply the apparmor profile as requested: disable, enforce, complain Add aa-profile-mode change test to amulet Charm-helpers sync to pull in AA Profile context changes Change-Id: I18aff4bfe131010521ea9ff544c6bf76f888afa6
59 lines
1.3 KiB
Plaintext
59 lines
1.3 KiB
Plaintext
# Last Modified: Thu Mar 31 18:53:33 2016
|
|
# Mode: {{aa_profile_mode}}
|
|
#include <tunables/global>
|
|
|
|
/usr/bin/nova-api {
|
|
#include <abstractions/authentication>
|
|
#include <abstractions/base>
|
|
#include <abstractions/bash>
|
|
#include <abstractions/libvirt-qemu>
|
|
#include <abstractions/python>
|
|
#include <abstractions/wutmp>
|
|
|
|
capability audit_write,
|
|
capability net_admin,
|
|
capability net_raw,
|
|
capability sys_resource,
|
|
|
|
network inet raw,
|
|
|
|
|
|
/bin/* rix,
|
|
/etc/default/locale r,
|
|
/etc/environment r,
|
|
/etc/nova/** r,
|
|
/etc/sudoers r,
|
|
/etc/sudoers.d/ r,
|
|
/etc/sudoers.d/90-cloud-init-users r,
|
|
/etc/sudoers.d/90-cloudimg-ubuntu r,
|
|
/etc/sudoers.d/README r,
|
|
/etc/sudoers.d/nova_sudoers r,
|
|
/lib{,32,64}/** mr,
|
|
/run/lock/nova/nova-iptables wk,
|
|
/sbin/ldconfig rix,
|
|
/sbin/ldconfig.real rix,
|
|
/sbin/xtables-multi rix,
|
|
/tmp/ r,
|
|
/tmp/** rwk,
|
|
/usr/bin/ r,
|
|
/usr/bin/** rix,
|
|
/usr/lib{,32,64}/** mr,
|
|
/var/lib/nova/** rw,
|
|
/var/log/nova/nova-api.log w,
|
|
/var/tmp/ r,
|
|
/var/tmp/** rwk,
|
|
{% if ubuntu_release <= '12.04' %}
|
|
/proc/*/fd/ r,
|
|
/proc/*/mounts r,
|
|
/proc/*/net/ip_tables_names r,
|
|
/proc/*/stat r,
|
|
/proc/*/status r,
|
|
{% else %}
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/net/ip_tables_names r,
|
|
owner @{PROC}/@{pid}/stat r,
|
|
owner @{PROC}/@{pid}/status r,
|
|
{% endif %}
|
|
}
|