openstack
/
instack-undercloud
Code Issues Proposed changes
instack-undercloud/elements/selinux-policy-updates/nova-rootwrap-dac.te

33 lines
905 B
Plaintext
Raw Permalink Blame History

module nova-rootwrap-dac 1.0;
require {
type nova_scheduler_t;
type nova_api_t;
type nova_console_t;
type init_var_run_t;
type user_home_dir_t;
type var_run_t;
type nova_cert_t;
type keystone_t;
class capability { dac_read_search dac_override };
class dir { write search getattr };
}
#============= keystone_t ==============
allow keystone_t init_var_run_t:dir write;
#============= nova_api_t ==============
allow nova_api_t self:capability { dac_read_search dac_override };
allow nova_api_t user_home_dir_t:dir { search getattr };
#============= nova_cert_t ==============
allow nova_cert_t user_home_dir_t:dir { search getattr };
allow nova_cert_t var_run_t:dir write;
#============= nova_console_t ==============
allow nova_console_t user_home_dir_t:dir { search getattr };
#============= nova_scheduler_t ==============
allow nova_scheduler_t user_home_dir_t:dir { search getattr };
View Git Blame Copy Permalink