From fcf570d42e9a4754b6c8c7acccd2ef4569da7f71 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 4 May 2017 14:02:02 +0000
Subject: [PATCH] initial selinux module work for rsyslog to read audit

---
 roles/base/files/selinux/rsyslog-audit.te | 17 +++++++++++++++++
 roles/base/tasks/main.yml                 | 21 +++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 roles/base/files/selinux/rsyslog-audit.te

diff --git a/roles/base/files/selinux/rsyslog-audit.te b/roles/base/files/selinux/rsyslog-audit.te
new file mode 100644
index 0000000000..31f3a22215
--- /dev/null
+++ b/roles/base/files/selinux/rsyslog-audit.te
@@ -0,0 +1,17 @@
+module rsyslog-audit 1.0;
+
+require {
+        type audit_log_t;
+        class file search;
+}
+
+require {
+        type audit_log_t;
+        class file ioctl;
+        class file open;
+        class file read;
+}
+
+#============= syslogd_t ==============
+allow syslogd_t auditd_log_t:dir { getattr search };
+allow syslogd_t auditd_log_t:file { getattr ioctl open read };
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 0a2ff3a0d3..ea3e0c1edd 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -348,6 +348,27 @@
   - rsyslogd
   - config
 
+# Custom selinux policy to allow rsyslog to read and send audit to log01
+#- name: ensure a directory exists for our custom selinux module
+#  file: dest=/usr/local/share/rsyslog state=directory
+#  tags:
+#  - rsyslogd
+#  - config
+#
+#- name: copy over our custom selinux module
+#  copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp
+#  register: selinux_module
+#  tags:
+#  - rsyslogd
+#  - config
+#
+#- name: install our custom selinux module
+#  command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp
+#  when: selinux_module|changed
+#  tags:
+#  - rsyslogd
+#  - config
+#
 - name: Setup postfix
   include: postfix.yml