From 58389f1822159d495f92ef4b99325c1fa7cc7c70 Mon Sep 17 00:00:00 2001
From: "Chaozhe.Chen" <chaozhe.chen@easystack.cn>
Date: Mon, 22 Feb 2016 13:52:38 +0800
Subject: [PATCH] Add /usr/local/{sbin,bin} to rootwrap exec_dirs

I noticed that nova, neutron and cinder's rootwrap exec_dirs include
/usr/local/{sbin,bin} which is a standardised location for admins to
install non-distro executables, and these executables are no less
"trustworthy" than /usr/bin and friends.  See neutron and cinder's
rootwrap.conf (and probably others), and typical distro default values
for sudoers/secure_path for extremely similar precedents that all include
/usr/local/*bin.

See the same patch of nova for more information:
https://review.openstack.org/#/c/280052/1
And see I710cf142b834381c00e651cfc062299ae755c33f for brief discussion
of doing this via devstack before.

Change-Id: If5ed1d7d81fdac10fc2b1608aafe20833e0f2980
---
 etc/ceilometer/rootwrap.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/ceilometer/rootwrap.conf b/etc/ceilometer/rootwrap.conf
index c79065c7..f5d90d20 100644
--- a/etc/ceilometer/rootwrap.conf
+++ b/etc/ceilometer/rootwrap.conf
@@ -10,7 +10,7 @@ filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
 
 # Enable logging to syslog
 # Default value is False