Add selinux policy file for rsyslog forwarding

So in the latest versions of Pike the selinux config changes a bit and it's impossible to open connections to other machines without changing the policy module. Change-Id: Iad672c39e732cbce7c5659aa731a88b40c7c3812
cloud-bulldozer · Nov 8, 2017 · 334aa12 · 334aa12
1 parent 993f688
commit 334aa12
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/ansible/install/roles/rsyslog-templates/tasks/main.yml b/ansible/install/roles/rsyslog-templates/tasks/main.yml
@@ -138,3 +138,10 @@
     state: started
     timeout: 10
   when: rsyslog_aggregator or rsyslog_forwarding
+
+# syslog as a system process lives under some very restrictive selinux rules, this is the best
+# way I've found to get to to work reliably. On a prod system you would probably want to manually
+# validate that the .te file produced makes sense.
+- name: Generate and install syslog policy file
+  shell: "grep syslog /var/log/audit/audit.log  | audit2allow -M syslogd_t; semodule -i syslogd_t.pp"
+  become: true