heroes / salt

Clone
Source Code
GIT

Blame salt/profile/wikisearch/files/elasticsearch.apparmor

adjust-ci-pipeline anikitin/mirrorcache anikitin/t_allow_jinja_in_secrets anikitin/web_mirrors__proxy_mirrorcache bootloader cboltz-borgbackup cboltz-relnotes-15.3 cboltz-scar-sshd doc-o-o gateway hellcp/matrix-synapse-workers-syntax hellcp/paste-sync ifconfig infra libvirt lrupp-production-patch-08358 lrupp/add_identification lrupp/remove_login_interface lrupp/retire lrupp/serve_www mailman micro monitoring-restart paste-socket postfix-aliases production repositories set-secret-detection-config-1 sysctl update-access-crtmgr
  1.   1239320dffc39f6f55e3a42b69486ee7b4ecdce8
  2.   salt
  3.   profile
  4.   wikisearch
  5.   files
  6.   elasticsearch.apparmor
Blob History Raw
Christian Boltz 1580ae 
# managed by salt - do not edit manually!
Christian Boltz 1580ae
Christian Boltz 777bf7 
# AppArmor profile for elasticsearch 6.8
Christian Boltz 1580ae 
# vim: ft=apparmor
Christian Boltz 1580ae 
# ------------------------------------------------------------------
Christian Boltz 1580ae 
#
Christian Boltz 777bf7 
#    Copyright (C) 2017-2022 Christian Boltz
Christian Boltz 1580ae 
#
Christian Boltz 1580ae 
#    This program is free software; you can redistribute it and/or
Christian Boltz 1580ae 
#    modify it under the terms of version 2 of the GNU General Public
Christian Boltz 1580ae 
#    License published by the Free Software Foundation.
Christian Boltz 1580ae 
#
Christian Boltz 1580ae 
# ------------------------------------------------------------------
Christian Boltz 1580ae
Christian Boltz 1580ae 
#include <tunables/global>
Christian Boltz 1580ae
Christian Boltz 777bf7 
profile elasticsearch /usr/share/elasticsearch/bin/elasticsearch flags=(complain) {
Christian Boltz 1580ae 
  #include <abstractions/base>
Christian Boltz 1580ae
Christian Boltz 777bf7 
  capability sys_ptrace,
Christian Boltz 777bf7
Christian Boltz 1580ae 
  /dev/tty rw,
Christian Boltz 777bf7 
  /etc/nsswitch.conf r,
Christian Boltz 777bf7 
  /etc/passwd r,
Christian Boltz 777bf7 
  /usr/bin/basename Cx -> helper,
Christian Boltz 777bf7 
  /usr/bin/dirname Cx -> helper,
Christian Boltz 777bf7 
  /usr/bin/grep Cx -> helper,
Christian Boltz 777bf7 
  /usr/bin/which Cx -> helper,
Christian Boltz 777bf7 
  /usr/lib64/jvm/java-11-openjdk-11/bin/java Cx -> java,
Christian Boltz 777bf7 
  /usr/share/elasticsearch/ r,
Christian Boltz 777bf7 
  /usr/share/elasticsearch/bin/elasticsearch r,
Christian Boltz 777bf7 
  /usr/share/elasticsearch/bin/elasticsearch-env r,
Christian Boltz 1580ae
Christian Boltz 1580ae
Christian Boltz 777bf7 
  profile helper flags=(complain) {
Christian Boltz 1580ae 
    #include <abstractions/base>
Christian Boltz 1580ae
Christian Boltz 777bf7 
    /usr/bin/basename mr,
Christian Boltz 777bf7 
    /usr/bin/dirname mr,
Christian Boltz 777bf7 
    /usr/bin/grep mr,
Christian Boltz 777bf7 
    /usr/bin/which mr,
Christian Boltz 1580ae
Christian Boltz 1580ae 
  }
Christian Boltz 1580ae
Christian Boltz 1580ae 
  profile java flags=(complain) {
Christian Boltz 1580ae 
    #include <abstractions/base>
Christian Boltz 1580ae
Christian Boltz 777bf7 
    ptrace read peer=elasticsearch//ldconfig,
Christian Boltz 777bf7
Christian Boltz 1580ae 
    /etc/elasticsearch/ r,
Christian Boltz 1580ae 
    /etc/elasticsearch/elasticsearch.yml r,
Christian Boltz 777bf7 
    /etc/elasticsearch/jvm.options r,
Christian Boltz 777bf7 
    /etc/elasticsearch/log4j2.properties r,
Christian Boltz 777bf7 
    /etc/elasticsearch/scripts/ r,
Christian Boltz 777bf7 
    /etc/host.conf r,
Christian Boltz 777bf7 
    /etc/hosts r,
Christian Boltz 777bf7 
    /etc/nsswitch.conf r,
Christian Boltz 777bf7 
    /etc/passwd r,
Christian Boltz 1580ae 
    /proc/*/net/if_inet6 r,
Christian Boltz 1580ae 
    /proc/*/net/ipv6_route r,
Christian Boltz 1580ae 
    /proc/*/stat r,
Christian Boltz 1580ae 
    /proc/diskstats r,
Christian Boltz 1580ae 
    /proc/loadavg r,
Christian Boltz 777bf7 
    /proc/sys/kernel/core_pattern r,
Christian Boltz 777bf7 
    /proc/sys/kernel/pid_max r,
Christian Boltz 777bf7 
    /proc/sys/kernel/threads-max r,
Christian Boltz 777bf7 
    /proc/sys/net/core/somaxconn r,
Christian Boltz 777bf7 
    /proc/sys/vm/max_map_count r,
Christian Boltz 777bf7 
    /run/netconfig/resolv.conf r,
Christian Boltz 777bf7 
    /sbin/ldconfig Px -> elasticsearch//ldconfig,
Christian Boltz 777bf7 
    /sys/devices/system/cpu/offline r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/cpu,cpuacct/cpu.shares r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/cpu,cpuacct/cpu.stat r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/cpu,cpuacct/cpuacct.usage r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/cpuset/cpuset.cpus r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/cpuset/cpuset.mems r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/memory/memory.limit_in_bytes r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/memory/memory.max_usage_in_bytes r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/memory/memory.soft_limit_in_bytes r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/memory/memory.stat r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/memory/memory.usage_in_bytes r,
Christian Boltz 777bf7 
    /sys/fs/cgroup/memory/memory.use_hierarchy r,
Christian Boltz 777bf7 
    /sys/kernel/mm/transparent_hugepage/defrag r,
Christian Boltz 777bf7 
    /sys/kernel/mm/transparent_hugepage/enabled r,
Christian Boltz 777bf7 
    /usr/lib64/jvm/java-11-openjdk-11/bin/java mr,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/ r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/lib/ r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/lib/*.jar r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/modules/ r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/modules/*/ r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/modules/*/*.jar r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/modules/*/*.policy r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/modules/*/*.properties r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/modules/percolator/*.jar r,
Christian Boltz 777bf7 
    /usr/share/elasticsearch/plugins/ r,
Christian Boltz 777bf7 
    /var/lib/ca-certificates/java-cacerts r,
Christian Boltz 777bf7 
    owner /etc/elasticsearch/elasticsearch.keystore rw,
Christian Boltz 777bf7 
    owner /etc/elasticsearch/elasticsearch.keystore.tmp rw,
Christian Boltz 777bf7 
    owner /proc/*/ r,
Christian Boltz 777bf7 
    owner /proc/*/cgroup r,
Christian Boltz 777bf7 
    owner /proc/*/coredump_filter rw,
Christian Boltz 777bf7 
    owner /proc/*/fd/ r,
Christian Boltz 777bf7 
    owner /proc/*/mountinfo r,
Christian Boltz 777bf7 
    owner /proc/*/mounts r,
Christian Boltz 777bf7 
    owner /run/elasticsearch/elasticsearch.pid w,
Christian Boltz 777bf7 
    owner /tmp/elasticsearch-*/ w,
Christian Boltz 777bf7 
    owner /tmp/elasticsearch-*/*.tmp w,
Christian Boltz 777bf7 
    owner /tmp/hs_err_pid*.log rw,
Christian Boltz 1580ae 
    owner /tmp/hsperfdata_elasticsearch/ rw,
Christian Boltz 1580ae 
    owner /tmp/hsperfdata_elasticsearch/* rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/.cache/ w,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/.cache/JNA/ w,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/.cache/JNA/temp/ rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/.cache/JNA/temp/*.tmp mrw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/ w,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/ w,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/.es_temp_file w,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/.es_temp_file.final w,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/.es_temp_file.tmp rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/_state/ rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/_state/global-[0-9].st rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/_state/global-[0-9].st.tmp rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/_state/node-[0-9].st rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/_state/node-[0-9].st.tmp rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/indices/ rw,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/indices/** rwk,
Christian Boltz 777bf7 
    owner /var/lib/elasticsearch/nodes/0/node.lock wk,
Christian Boltz 777bf7 
    owner /var/log/elasticsearch/elasticsearch.log rw,
Christian Boltz 777bf7 
    owner /var/log/elasticsearch/elasticsearch_deprecation.log rw,
Christian Boltz 777bf7 
    owner /var/log/elasticsearch/elasticsearch_index_indexing_slowlog.log rw,
Christian Boltz 777bf7 
    owner /var/log/elasticsearch/elasticsearch_index_search_slowlog.log rw,
Christian Boltz 777bf7 
    owner /var/log/elasticsearch/loggc rw,
Christian Boltz 777bf7 
    owner /var/log/elasticsearch/loggc.*[0-9] w,
Christian Boltz 777bf7
Christian Boltz 777bf7 
  }
Christian Boltz 777bf7
Christian Boltz 777bf7 
  profile ldconfig flags=(complain) {
Christian Boltz 777bf7 
    #include <abstractions/base>
Christian Boltz 777bf7
Christian Boltz 777bf7 
    /sbin/ldconfig mr,
Christian Boltz 1580ae
Christian Boltz 1580ae 
  }
Christian Boltz 1580ae 
}
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.