tasks: lxc_install_zypper: Relax apparmor restrictions for dnsmasq

The default apparmor profile does not allow dnsmasq to read from
/etc/neutron or /var/log/neutron as we see from the following entry
in the audit.log file:

type=AVC msg=audit(1500476274.931:179617): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq"
name="/etc/neutron/dnsmasq-neutron.conf" pid=27503 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

However, having such access is essential for neutron to work otherwise
dnsmasq fails to start and the VMs have all sorts of network problems.
As such, we create a local profile with the neutron allowances.

Change-Id: I11b1c777fc738f319e0d1c875390522468504050
This commit is contained in:
Markos Chandras 2017-07-19 16:34:22 +01:00
parent 1e6a6a7540
commit d77bbf6d0a

View File

@ -24,6 +24,23 @@
tags: tags:
- lxc-packages - lxc-packages
# NOTE(hwoarang) default dnsmasq profile is too restrictive so we
# need to adjust it for neutron.
- name: Relax dnsmasq apparmor profile
blockinfile:
path: "/etc/apparmor.d/local/usr.sbin.dnsmasq"
block: |-
/etc/neutron/* r,
/var/log/neutron/* rw,
marker: "# {mark} ANSIBLE MANAGED BLOCK"
notify:
- Start apparmor
- Reload apparmor
tags:
- lxc-files
- lxc-apparmor
- lxc_hosts-config
- name: Drop lxc-openstack apparmor profile - name: Drop lxc-openstack apparmor profile
template: template:
src: "lxc-openstack.apparmor.j2" src: "lxc-openstack.apparmor.j2"