Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Update rsyslog-audit custom SELinux policy to allow dir reads

Browse source 
This now seems to be necessary. This is the cause of the flood
of SELinux denials on F29+ hosts with the rsyslog stuff.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2019-05-29 09:49:03 -07:00
parent 8611ab80ed
commit 3eb406ccdb
2 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
roles/base/files/selinux/rsyslog-audit.pp
View file

Binary file not shown.

6
roles/base/files/selinux/rsyslog-audit.te
View file

@ -1,12 +1,12 @@
module rsyslog-audit 1.0; module rsyslog-audit 1.1;
require { require {
type auditd_log_t; type auditd_log_t;
type syslogd_t; type syslogd_t;
class file { getattr ioctl open read }; class file { getattr ioctl open read };
class dir { getattr search }; class dir { getattr read search };
} }
#============= syslogd_t ============== #============= syslogd_t ==============
allow syslogd_t auditd_log_t:dir { getattr search }; allow syslogd_t auditd_log_t:dir { getattr read search };
allow syslogd_t auditd_log_t:file { getattr ioctl open read }; allow syslogd_t auditd_log_t:file { getattr ioctl open read };