From 3eb406ccdbaa5c8ba869958075d95679f41955bf Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 29 May 2019 09:49:03 -0700
Subject: [PATCH] Update rsyslog-audit custom SELinux policy to allow dir reads

This now seems to be necessary. This is the cause of the flood
of SELinux denials on F29+ hosts with the rsyslog stuff.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 roles/base/files/selinux/rsyslog-audit.pp | Bin 7609 -> 1196 bytes
 roles/base/files/selinux/rsyslog-audit.te |   6 +++---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/base/files/selinux/rsyslog-audit.pp b/roles/base/files/selinux/rsyslog-audit.pp
index f1a417ff5a9e3468abf151bf1e3bda637b57da36..41d0b6acd783e55d419bbe7927b98cc491748e56 100644
GIT binary patch
delta 182
zcmdmKy@pe#|9{O-Mg|535EfuyVCel{^OK)}fg#vc!6!4Xv_io*KczG$m5G6YL3pBp
z8k3>J<b{mFlkFKfteF`g03-)u!}uwgMeI-$(^E?lOG=7Z7#P5+ic%9(*gz^LE}A=e
z10&1iKTJH66_{BjJ2QS{WS@MIF@Ev^MwZDlm;|7*0+a7BsZ74ZRKUnSxscg;@dRc@
E0GEC%jsO4v

literal 7609
zcmc&&UymEN5#P4yp9n4b(ho3zUUY!0*lnKt)Fh5kqxIS7#d!$|f!dvw*yEC$Ay+y9
z{t89&b^YXEhU97`>tx;8bqBc9?sES8IGh;{`QNv%-~6H|ieDB*@u#9Fe)_B^{`2<r
zn?DvsarG_yL)-2Kp1Z0u$Sk9xD46|sMWjCzML~Y+jaxoYU8TdXilTTld-&HhJ|vds
zKW1Ud@BGVDY5Hwazr>(Ipx-1ekBZ9GXNiyP^K*W$wZUH}PVLHI4zy%mLRIlI+jlKm
z)|2PLzf5lNZ!E){hWKxLX3BH;ebSY6G7aU#H`Uy@<ve_z<Zk1Q?yTlPw49)<AcJRO
zK>3{k@Lzt<jvfMII^@gzhkX2<b+7}6JRjQz>*n|y(h$ob-W*W(;mLF;n~CRpXfI<s
z{C*pbOt;y%>-UdEc`YkV?DG7_Il?)W-}5i$e9jLR&ENT%<9`_Ad5nKK-usvy4jiMO
z-oAb_`d`p^G=?Xdundm2(5euStcOXZ=|ToyDpCywB>#9chDS4~T%)vwux)WPhCk1s
zbT%k$kwhwLy2#^ynL*X7k1{8x!Fc|O%g!hQ_Vxf0zkV!CqWTOtBLQ@^Z5Gbx5{$Oj
z14PDN&p$mXcG2XOy|Ajm3SR0K{TEN4J$*3%R_ogR-;sG&USseBSp4Oa!(w-RZCrT`
z6|QxOU|lr~tA+XWm||Fcvr?qWfOHG8az&rqTM^k)&OA<!c_3xI4%*p%9mS)mQcPks
zm{yvYeQI$dzok*$Ptad*!V2*+bXMQw`Vpfe>tUsA`%DsT&s9mzL+uFsMu&2x?GhFk
zHi#Cy>!?I%Ic>M2F(_MsajH@at|{^r8tLD_cWvt^FoM(O#p+W>psI>(g%$QXf(qE6
z6)oqg={$nAplv{^Rf&EI!GUYp+sc?NXzP&zC?Nc?(}b|#I2KopVTGneg1WOM3rxXl
zTOu@H!p7MEc+>Kn8*$QT47vuz^$S6JP*A#t;lgBm@%Svj&#cV1?m|ZlJ7WgFa-FGQ
zA#>?n9DN&OC1BGU6>!28Yf7C#AH(7dcYlD{9^*T9&zkUyv<^91R?1dJ+huhBNs>T$
z!kcCz4zFQ@*-yOa95@x$sxx6UhR|7w%C#~bg7V;7EOo81g2h&N`zUtA>&W76jYPV_
zB(+<F&SP~h#BXl`7a&+TXHZ!Wt_$F5P?p1o(0lFdY&3@NR@#F_tUO2P0)cSj=o%~V
zZotZMw$Wh)ts=Bxg&sYW$^tXb-k;#&x9^fWDlCm6#j$<ve6ncD?>ns6js(NsVs7Q+
ziAB+`bRF!(cFojiA7-;z>_+6fEDC=H+cgk$Be5R^b!{uGC+yN`pbqDf#?x9EpPr+l
z=1Zs?day3QO079gw4cSvkH#>cqeLLi=K`|onr0g@@~ZU3!s3SWd<GH=QXfZSK%$nk
z4O3n+j-b*w&->v1N-eml)3!nzu!7PNH*{v3P@G8ukFai?*(kD;2EA9y)Vv7_P{1Qx
zMbqFJYrLa@0VF!A-|~zdW%V=YeLEUMqplH@-3Hk+YNgFRCb&d9?>y3k|4C_smax`0
zQy^z>?lDZEF@By>-QXHc{6fkuaSA^)rJt87;L?#s|F3hZ;*P`#41ybQya|)^J7t?5
zW!qlsu$>+?v(s~$#7e2`9B;79+dV&bfveU%A#=rvWjQ%#F4a%8ajakUB`_a1j`ks=
z(U^C#Rt3G#Mu+X=zSsDw3$9T?m-p82BCL?0C0C;N&~h=Cf_R@^MV3hgKe>#l9*dh)
zM_GM-ddOK^PA(rjicWpsF14dR5_r|$F|i8;^x(yc7b~$=SFX`k*)k?RXj>90&zWhv
z21%FTs6vX&{vjB*LC<9*>R9RJ3VrN*-e2K&)MJ*k@RQ5w^XQuR4mG(Zp&fwTB}?+x
z<oP|_^|kVRpyQkbPTtf=ZhgRp=O`T`PfiNcofd=3?Nw|l(-sn&R6Y#38scRENQ;bK
z?Cb|u+Hd8Inl^T4%{J}{L+Jxq@YoxCz%`y5U*3L2ny^MfZV`tnB7iR(4Kd8(zV($c
zgTp&_lL9FL@AoBUv(7%)o%4rmyZ!5udEyc5IKz`ugKQ<884`e~S>ou43TjEJd6xsy
z9()xDkBz6{SGFa+)&`f-)9}GHn}G@5l%}f?NNsdG1&e|20jAI@=DQfoFplh_IHw!i
z(MY0ac(h4TvmYXn?d7f}NrWvi1WsIWFW(gFMHetH0f*(GL@eZ4<`gGi6Zd=)3}J<u
z&NGvRIfm|TlBHDJqK&66C-ci#k4%bJN89BTI-4Fv1))_<KLu`U)8ZdGg$tngB;W63
zTgN<@r<S8%r<A^@chb=^R;1vDY6tN?L>wG6uCqbr*xC3j5fF=627km+os{`>Pjik#
zcqPsiN_@k-yQ_^4k&Ty6A2KPaEJIK8O+z0WJ6EK7aE2eFOAh!&t!ptJbv%TX3VeLl
z^%mq>;lv!ySLhZVX^rpI=u?&{F1LDVl{pbVJ+rNVutdG)^s*TEyqC)33Gs;jDsH*o
z!?Ty)<h}Opox~+>1|^brLfN1=>UY=M`BwXYm}&3MxxZ>YLd?8>AG~)Byid%0?5ftY
ziNO`^0qu)jrF+!<>(hN=iFYnJJ?vd>9uSKhy@B+wck_5ayRGUpiGFG0mAP$YUU`HG
j7f{Kj4e5Xv5N}PC$!#|KJ9;2S2Y>iGZuk3-K5%{pUduMK

diff --git a/roles/base/files/selinux/rsyslog-audit.te b/roles/base/files/selinux/rsyslog-audit.te
index a8bf497c24..cf8e03b337 100644
--- a/roles/base/files/selinux/rsyslog-audit.te
+++ b/roles/base/files/selinux/rsyslog-audit.te
@@ -1,12 +1,12 @@
-module rsyslog-audit 1.0;
+module rsyslog-audit 1.1;
 
 require {
 	type auditd_log_t;
 	type syslogd_t;
 	class file { getattr ioctl open read };
-	class dir { getattr search };
+	class dir { getattr read search };
 }
 
 #============= syslogd_t ==============
-allow syslogd_t auditd_log_t:dir { getattr search };
+allow syslogd_t auditd_log_t:dir { getattr read search };
 allow syslogd_t auditd_log_t:file { getattr ioctl open read };