openstack/instack-undercloud
Code Issues Proposed changes
214c698712
instack-undercloud/elements/selinux-policy-updates/nova-rootwrap-dac.te
James Slagle 8f0e096f6e Custom policy for nova and ironic
2014-07-31 11:56:51 -04:00

33 lines
905 B
Plaintext
Raw Blame History

module nova-rootwrap-dac 1.0;
require {
type nova_scheduler_t;
type nova_api_t;
type nova_console_t;
type init_var_run_t;
type user_home_dir_t;
type var_run_t;
type nova_cert_t;
type keystone_t;
class capability { dac_read_search dac_override };
class dir { write search getattr };
}
#============= keystone_t ==============
allow keystone_t init_var_run_t:dir write;
#============= nova_api_t ==============
allow nova_api_t self:capability { dac_read_search dac_override };
allow nova_api_t user_home_dir_t:dir { search getattr };
#============= nova_cert_t ==============
allow nova_cert_t user_home_dir_t:dir { search getattr };
allow nova_cert_t var_run_t:dir write;
#============= nova_console_t ==============
allow nova_console_t user_home_dir_t:dir { search getattr };
#============= nova_scheduler_t ==============
allow nova_scheduler_t user_home_dir_t:dir { search getattr };
View Git Blame Copy Permalink