This is the neutral lookup page for Blastwall names and expected evidence. Use it when a demo or lab page mentions an object and you need the exact role, path, or output.
AAP Objects
| Object | Type | Purpose |
|---|
| Blastwall | Project | Syncs the Blastwall repository into Controller. |
| Blastwall EE | Execution environment | Carries Ansible, Kerberos, and IdM dependencies for AAP jobs. |
| Blastwall IdM Inventory Source | Inventory source | Uses eigenstate.ipa to expose IdM state as inventory facts. |
| Blastwall IdM Runtime | Credential | Injects the IdM principal and password or keytab used by runtime inventory and preflight. |
| Blastwall runtime verification | Workflow template | Runs project sync, credential smoke, inventory sync, preflight, and managed-host verification. |
IdM Records
| Record | Current Lab Name | Purpose |
|---|
| Automation identity | svc-ansible-runner | Kerberos-backed automation principal used by the Ansible proof. |
| AAP launcher | blastwall-demo | Controller-facing demo account that launches the recorded workflow. |
| Automation group | blastwall | Groups the automation identities that receive the Blastwall path. |
| SELinux user map | blastwall-root-local-map | Maps the automation identity to blastwall_u:s0. |
| HBAC rule | blastwall-ssh | Allows the automation identity to enter eligible hosts through SSH. |
| Sudo rule | blastwall-root-local-sudo | Delegates root work while SELinux keeps the domain confined. |
SELinux Contexts
| Context Or Part | Meaning | Expected Evidence |
|---|
blastwall_u | SELinux user component. | The login receives a Blastwall-specific SELinux user, not an unconfined user. |
blastwall_r | SELinux role component. | The runtime process stays in the Blastwall role. |
blastwall_t | SELinux process type/domain. | The process remains in this domain before and after sudo. |
blastwall_u:blastwall_r:blastwall_t:s0 | Full confined automation process context. | Printed by AAP and Ansible verification jobs. |
Probe Scripts
| Probe | Surface | Expected Output |
|---|
trigger-copyfail-afalg.py | AF_ALG/authencesn path. | BLOCKED or socket creation denied with permission error. |
trigger-bpf-deny.py | BPF map creation and program load. | BLOCKED for BPF_MAP_CREATE and BPF_PROG_LOAD. |
trigger-packet-socket-deny.py | AF_PACKET socket creation. | BLOCKED for packet socket creation. |
trigger-userns-deny.py | User namespace creation. | BLOCKED for unshare(CLONE_NEWUSER). |
trigger-io-uring-deny.py | io_uring setup. | BLOCKED, or SKIP on kernels without that object class. |
Policy Artifacts
| Artifact | Purpose |
|---|
policy/ | SELinux reference-policy module and CIL deny rules. |
playbooks/ | Generic deployment, preflight, credential smoke, and verification playbooks. |
aap/ | Controller configuration-as-code for the AAP proof. |
poc-calabi/ | Calabi-specific lab runbooks and replay assets. |
Lab Names
The docs use some names from earlier proof phases and some names from the current AAP demo. Treat this table as the current map.
| Name | Scope | Meaning |
|---|
svc-ansible-runner | Ansible proof | Automation service principal used for Kerberos-backed host proof. |
blastwall-demo | AAP proof | Demo launcher visible in Controller workflow output. |
mirror-registry.workshop.lan | Calabi managed endpoint | Current host selected for verification in the recorded demos. |
stale-blastwall-01.workshop.lan | Calabi fixture | Deliberately stale host used to prove preflight rejection. |
automation-endpoint | Inventory group | Generic Ansible target group used by lab playbooks. |