initial selinux module work for rsyslog to read audit

roles/base/files/selinux/rsyslog-audit.te

@@ -0,0 +1,17 @@
+module rsyslog-audit 1.0;
+
+require {
+        type audit_log_t;
+        class file search;
+}
+
+require {
+        type audit_log_t;
+        class file ioctl;
+        class file open;
+        class file read;
+}
+
+#============= syslogd_t ==============
+allow syslogd_t auditd_log_t:dir { getattr search };
+allow syslogd_t auditd_log_t:file { getattr ioctl open read };

roles/base/tasks/main.yml

@@ -348,6 +348,27 @@
   - rsyslogd
   - config
 
+# Custom selinux policy to allow rsyslog to read and send audit to log01
+#- name: ensure a directory exists for our custom selinux module
+#  file: dest=/usr/local/share/rsyslog state=directory
+#  tags:
+#  - rsyslogd
+#  - config
+#
+#- name: copy over our custom selinux module
+#  copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp
+#  register: selinux_module
+#  tags:
+#  - rsyslogd
+#  - config
+#
+#- name: install our custom selinux module
+#  command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp
+#  when: selinux_module|changed
+#  tags:
+#  - rsyslogd
+#  - config
+#
 - name: Setup postfix
   include: postfix.yml