Add selinux policy file for rsyslog forwarding

So in the latest versions of Pike the selinux config changes a bit and it's impossible to open connections to other machines without changing the policy module. Change-Id: Iad672c39e732cbce7c5659aa731a88b40c7c3812
2017-10-24 09:29:25 -04:00 · 2017-10-24 09:29:25 -04:00 · 334aa12ac4
parent 993f68845d
commit 334aa12ac4
1 changed files with 7 additions and 0 deletions
--- a/ansible/install/roles/rsyslog-templates/tasks/main.yml
+++ b/ansible/install/roles/rsyslog-templates/tasks/main.yml
@ -138,3 +138,10 @@
    state: started
    timeout: 10
  when: rsyslog_aggregator or rsyslog_forwarding
+
+# syslog as a system process lives under some very restrictive selinux rules, this is the best
+# way I've found to get to to work reliably. On a prod system you would probably want to manually
+# validate that the .te file produced makes sense.
+- name: Generate and install syslog policy file
+  shell: "grep syslog /var/log/audit/audit.log  | audit2allow -M syslogd_t; semodule -i syslogd_t.pp"
+  become: true