AppArmor policy update for os-brick and iSCSI
In iSCSI usecases including cinder-lvm, os-brick requires lock files such as: - /run/lock/nova/os-brick-connect_volume - /run/lock/nova/os-brick-connect_to_iscsi_portal-192.168.0.1 and lsscsi requires following access to compose a rescan command such as "/sys/bus/scsi/drivers/sd/2:0:0:0/rescan": - /dev/ - /sys/bus/scsi/devices/ Closes-Bug: #1979812 Related-Bug: #1939390 Change-Id: Id2db3a70b8d1287bda006f1bbc5442038f7070f1
This commit is contained in:
parent
06856f151c
commit
cf0f464391
|
@ -31,6 +31,7 @@
|
||||||
deny /* w,
|
deny /* w,
|
||||||
|
|
||||||
/bin/* rix,
|
/bin/* rix,
|
||||||
|
/dev/ r,
|
||||||
/dev/disk/** r,
|
/dev/disk/** r,
|
||||||
/dev/disk/by-id/* r,
|
/dev/disk/by-id/* r,
|
||||||
/dev/mapper/control wr,
|
/dev/mapper/control wr,
|
||||||
|
@ -77,7 +78,7 @@
|
||||||
/run/libvirt/libvirt-sock rw,
|
/run/libvirt/libvirt-sock rw,
|
||||||
/run/lock/iscsi/ rw,
|
/run/lock/iscsi/ rw,
|
||||||
/run/lock/iscsi/** rwl,
|
/run/lock/iscsi/** rwl,
|
||||||
/run/lock/nova/nova-iptables wk,
|
/run/lock/nova/* wk,
|
||||||
/run/lock/qemu-nbd-nbd* w,
|
/run/lock/qemu-nbd-nbd* w,
|
||||||
/run/openvswitch/db.sock rw,
|
/run/openvswitch/db.sock rw,
|
||||||
/run/uuidd/request rw,
|
/run/uuidd/request rw,
|
||||||
|
@ -96,6 +97,7 @@
|
||||||
/{usr/,}sbin/e2label rix,
|
/{usr/,}sbin/e2label rix,
|
||||||
/{usr/,}sbin/tune2fs rix,
|
/{usr/,}sbin/tune2fs rix,
|
||||||
/sys/block/ r,
|
/sys/block/ r,
|
||||||
|
/sys/bus/scsi/devices/ r,
|
||||||
/sys/class/fc_host/{,**} r,
|
/sys/class/fc_host/{,**} r,
|
||||||
/sys/class/iscsi_host/ r,
|
/sys/class/iscsi_host/ r,
|
||||||
/sys/class/iscsi_session/ r,
|
/sys/class/iscsi_session/ r,
|
||||||
|
|
Loading…
Reference in New Issue