This is the neutral lookup page for Blastwall names and expected evidence. Use it when a demo or lab page mentions an object and you need the exact role, path, or output.
AAP Objects
| Object | Type | Purpose |
|---|
| Blastwall | Project | Syncs the Blastwall repository into Controller. |
| Blastwall EE | Execution environment | Carries Ansible, Kerberos, and IdM dependencies for AAP jobs. |
| Blastwall IdM Inventory Source | Inventory source | Uses eigenstate.ipa to expose IdM state as inventory facts. |
| Blastwall IdM Runtime | Credential | Injects the IdM principal and password or keytab used by runtime inventory and preflight. |
| Blastwall runtime verification | Workflow template | Runs project sync, credential smoke, inventory sync, preflight, and managed-host verification. |
| Blastwall policy pipeline | Workflow template | Builds a candidate policy RPM from Git source, renders a versioned SPO CR bundle, installs and verifies the candidate, promotes the marker, resyncs inventory, and reruns preflight. |
| Blastwall build policy RPM | Job template | Builds the candidate blastwall-selinux RPM from checked-out policy/ source. |
| Blastwall render SPO policy CRS | Job template | Renders openshift/spo into a versioned blastwall-spo-crs.yaml and stores it in the job .artifacts map. |
| Blastwall apply and validate SPO policy CRs | Job template | Optionally applies the rendered bundle through a kubeconfig credential and waits for the standard and nested validation jobs. |
| Blastwall OpenShift Kubeconfig | Credential type | Injects K8S_AUTH_KUBECONFIG for the OpenShift apply and validation job. |
| Blastwall install candidate policy RPM | Job template | Installs the candidate RPM and confirms the policy modules and package NEVRA are present. |
| Blastwall promote policy marker | Job template | Updates the IdM host marker through freeipa.ansible_freeipa.ipahost after verification succeeds. |
IdM Records
| Record | Current Lab Name | Purpose |
|---|
| Automation identity | svc-ansible-runner | Kerberos-backed automation principal used by the Ansible proof. |
| AAP launcher | blastwall-demo | Controller-facing demo account that launches the recorded workflow. |
| Automation group | blastwall | Groups the automation identities that receive the Blastwall path. |
| SELinux user map | blastwall-root-local-map | Maps the automation identity to blastwall_u:s0. |
| HBAC rule | blastwall-ssh | Allows the automation identity to enter eligible hosts through SSH. |
| Sudo rule | blastwall-root-local-sudo | Delegates root work while SELinux keeps the domain confined. |
SELinux Contexts
| Context Or Part | Meaning | Expected Evidence |
|---|
blastwall_u | SELinux user component. | The login receives a Blastwall-specific SELinux user, not an unconfined user. |
blastwall_r | SELinux role component. | The runtime process stays in the Blastwall role. |
blastwall_t | SELinux process type/domain. | The process remains in this domain before and after sudo. |
blastwall_u:blastwall_r:blastwall_t:s0 | Full confined automation process context. | Printed by AAP and Ansible verification jobs. |
Probe Scripts
| Probe | Surface | Expected Output |
|---|
trigger-copyfail-afalg.py | AF_ALG/authencesn path. | BLOCKED or socket creation denied with permission error. |
trigger-bpf-deny.py | BPF map creation and program load. | BLOCKED for BPF_MAP_CREATE and BPF_PROG_LOAD. |
trigger-packet-socket-deny.py | AF_PACKET socket creation. | BLOCKED for packet socket creation. |
trigger-userns-deny.py | User namespace creation. | BLOCKED for unshare(CLONE_NEWUSER). |
trigger-io-uring-deny.py | io_uring setup. | BLOCKED, or SKIP on kernels without that object class. |
trigger-dirtyfrag-deny.py | Dirty Frag xfrm and RxRPC entry points. | BLOCKED for NETLINK_XFRM and AF_RXRPC, or SKIP for AF_RXRPC when the kernel lacks that protocol. |
Policy Artifacts
| Artifact | Purpose |
|---|
policy/blastwall.te | Base SELinux reference-policy module for the Blastwall automation user, role, and domain. |
policy/blastwall-sshd-login.cil | Support module that lets sshd complete the selected-context transition into blastwall_t for GSSAPI automation sessions. |
policy/blastwall-*-deny.cil | Standalone CIL deny scopes that subtract risky surfaces from blastwall_t. |
policy/blastwall-xfrm-deny.cil and policy/blastwall-rxrpc-deny.cil | Dirty Frag response scopes added after the May 7, 2026 public disclosure. |
policy/Makefile | Builds the base policy and lists support modules and active deny scopes. |
playbooks/build-policy-rpm.yml | AAP Day 2 build job that packages a candidate policy RPM from Git source. |
openshift/spo/*.yaml | Source manifests for the OpenShift/SPO profiles, SCCs, and examples used by the SPO output. |
playbooks/render-spo-policy-crs.yml | Renders the source manifests into a versioned blastwall-spo-crs.yaml artifact for AAP workflow output. |
playbooks/install-policy-rpm.yml | AAP Day 2 install job that stages and validates the candidate policy RPM on the endpoint. |
blastwall-spo-crs.yaml (job artifact) | Versioned OpenShift/SPO bundle stored in AAP job .artifacts and applied to the cluster as a change-control step. |
playbooks/promote-policy-rpm.yml | AAP Day 2 marker promotion job that writes the verified IdM marker with the FreeIPA collection. |
.github/workflows/policy-pipeline-smoke.yml | Self-hosted lab smoke workflow that launches the AAP policy pipeline and checks the evidence logs. |
playbooks/ | Generic deployment, preflight, credential smoke, and verification playbooks. |
aap/ | Controller configuration-as-code for the AAP proof. |
poc-calabi/ | Calabi-specific lab runbooks and replay assets. |
Lab Names
The docs use some names from earlier proof phases and some names from the current AAP demo. Treat this table as the current map.
| Name | Scope | Meaning |
|---|
svc-ansible-runner | Ansible proof | Automation service principal used for Kerberos-backed host proof. |
blastwall-demo | AAP proof | Demo launcher visible in Controller workflow output. |
mirror-registry.workshop.lan | Calabi managed endpoint | Current host selected for verification in the recorded demos. |
stale-blastwall-01.workshop.lan | Calabi fixture | Deliberately stale host used to prove preflight rejection. |
automation-endpoint | Inventory group | Generic Ansible target group used by lab playbooks. |