[ansible] Fix global vars
by Nicolas Chauvet
commit fb971c106f1a33196ce70b0b79f50d140cdf01d1
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Feb 6 10:44:58 2018 +0100
Fix global vars
vars/global.yml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/vars/global.yml b/vars/global.yml
index ce13e55..cbee078 100644
--- a/vars/global.yml
+++ b/vars/global.yml
@@ -3,9 +3,9 @@ basedir: /srv/web/infra/ansible
private: /srv/private/ansible
bigfiles: /srv/web/infra/bigfiles
files: /srv/web/infra/ansible/files
-roles: /srv/web/infra/ansible/roles
-handlers: /srv/web/infra/ansible/handlers
-tasks: /srv/web/infra/ansible/tasks
+roles_path: /srv/web/infra/ansible/roles
+handlers_path: /srv/web/infra/ansible/handlers
+tasks_path: /srv/web/infra/ansible/tasks
vars_path: "/srv/web/infra/ansible/vars"
dist_tag: unknown
auth_keys_from_fas: '/srv/web/infra/ansible/scripts/auth-keys-from-fas'
6 years, 10 months
[ansible] Update buildhw
by Nicolas Chauvet
commit d491e39386bfa3472fb6651cd3246154208d8192
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Feb 6 10:38:58 2018 +0100
Update buildhw
playbooks/groups/buildhw.yml | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
---
diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index ca08efc..35137fd 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -13,7 +13,7 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- - include: "{{ tasks }}/yumrepos.yml"
+ - import_tasks: "{{ tasks_path }}/yumrepos.yml"
roles:
- base
@@ -27,9 +27,9 @@
- { role: sudo, when: not inventory_hostname.startswith('bkernel') }
tasks:
- - include: "{{ tasks }}/2fa_client.yml"
+ - import_tasks: "{{ tasks_path }}/2fa_client.yml"
when: not inventory_hostname.startswith('bkernel')
- - include: "{{ tasks }}/motd.yml"
+ - import_tasks: "{{ tasks_path }}/motd.yml"
when: not inventory_hostname.startswith('bkernel')
- include: "{{ tasks }}/create_swap_file.yml swap_file_path=/var/swap-file swap_file_bs=1M swap_file_count=4096"
when: inventory_hostname.endswith('scaleway.rpmfusion.net')
@@ -37,7 +37,7 @@
when: not datacenter == 'online'
- name: make sure kojid is running
- service: name=kojid state=running enabled=yes
+ service: name=kojid state=started enabled=yes
handlers:
- - include: "{{ handlers }}/restart_services.yml"
+ - import_tasks: "{{ handlers_path }}/restart_services.yml"
6 years, 10 months
[ansible] Update tasks
by Nicolas Chauvet
commit a18d532cf8e9f85c425c0cef0cb48656928853f2
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 23:06:41 2018 +0100
Update tasks
tasks/openvpn_client.yml | 4 ++--
tasks/openvpn_client_7.yml | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
---
diff --git a/tasks/openvpn_client.yml b/tasks/openvpn_client.yml
index 5249ad5..f9b44d1 100644
--- a/tasks/openvpn_client.yml
+++ b/tasks/openvpn_client.yml
@@ -1,7 +1,7 @@
---
# openvpn - ftw - or something
- name: install openvpn
- yum: name=openvpn state=present
+ package: name=openvpn state=present
tags:
- packages
@@ -41,7 +41,7 @@
- restart openvpn
- name: enable openvpn service for rhel 6
- service: name=openvpn state=running enabled=true
+ service: name=openvpn state=started enabled=true
tags:
- service
when: ansible_distribution_major_version|int == 6
diff --git a/tasks/openvpn_client_7.yml b/tasks/openvpn_client_7.yml
index 59b659c..e2e8650 100644
--- a/tasks/openvpn_client_7.yml
+++ b/tasks/openvpn_client_7.yml
@@ -1,7 +1,7 @@
---
# openvpn - ftw - or something
- name: install openvpn
- yum: name=openvpn state=present
+ package: name=openvpn state=present
tags:
- packages
@@ -41,6 +41,6 @@
- restart openvpn 7
- name: enable openvpn service for rhel 7 or fedora
- service: name=openvpn@openvpn state=running enabled=true
+ service: name=openvpn@openvpn state=started enabled=true
tags:
- service
6 years, 10 months
[ansible] fixup
by Nicolas Chauvet
commit 5b51ed122ad66dab38c59c811f9ef00f27e85053
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 22:29:25 2018 +0100
fixup
roles/openvpn/client/files/client.conf | 3 +++
roles/openvpn/server/files/server.conf | 3 +++
roles/openvpn/server/meta/main.yml | 2 +-
3 files changed, 7 insertions(+), 1 deletions(-)
---
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf
index a719961..a95cf0a 100644
--- a/roles/openvpn/client/files/client.conf
+++ b/roles/openvpn/client/files/client.conf
@@ -17,9 +17,12 @@ persist-key
#up /etc/openvpn/fix-routes.sh
#up-restart
+cipher AES-256-CBC
+#auth SHA512
ca ca.crt
cert client.crt
key client.key
+#remote-cert-tls server
comp-lzo
diff --git a/roles/openvpn/server/files/server.conf b/roles/openvpn/server/files/server.conf
index 4805f6b..f9f3c0e 100644
--- a/roles/openvpn/server/files/server.conf
+++ b/roles/openvpn/server/files/server.conf
@@ -12,8 +12,11 @@ ca ca.crt
cert server.crt
key server.key
+cipher AES-256-CBC
+#auth SHA512
dh dh2048.pem
#crl-verify crl.pem
+#remote-cert-tls client
keepalive 10 120
diff --git a/roles/openvpn/server/meta/main.yml b/roles/openvpn/server/meta/main.yml
index 585d401..c7caa2e 100644
--- a/roles/openvpn/server/meta/main.yml
+++ b/roles/openvpn/server/meta/main.yml
@@ -1,3 +1,3 @@
---
dependencies:
- - { role: openvpn/base }
+ - { role: openvpn/base }
6 years, 10 months
[ansible] Fixup fix-route
by Nicolas Chauvet
commit 6ce0494b7817a8eada7fbacc09cfe30ec65130cf
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 22:25:51 2018 +0100
Fixup fix-route
roles/openvpn/base/tasks/main.yml | 6 ------
1 files changed, 0 insertions(+), 6 deletions(-)
---
diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml
index 3037fb4..809d98a 100644
--- a/roles/openvpn/base/tasks/main.yml
+++ b/roles/openvpn/base/tasks/main.yml
@@ -58,9 +58,3 @@
#- restart openvpn (RHEL6)
when: inventory_hostname.startswith('bastion0')
-- name: install fix-routes.sh script
- copy: src=fix-routes.sh
- dest=/etc/openvpn/fix-routes.sh
- owner=root group=root mode=0755
- tags:
- - openvpn
6 years, 10 months
[ansible] Update openvpn role
by Nicolas Chauvet
commit 922d503587b97b70c29b391c5a69cbbe685799ca
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 22:13:02 2018 +0100
Update openvpn role
roles/openvpn/client/tasks/main.yml | 77 +++++++++++++++++++++++++++++-----
roles/openvpn/server/tasks/main.yml | 27 ++++++++-----
2 files changed, 82 insertions(+), 22 deletions(-)
---
diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index c582e59..ba2d215 100644
--- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -2,13 +2,13 @@
# OpenVpn server
- name: Install needed packages
- yum: pkg={{ item }} state=present
+ package: name={{ item }} state=present
with_items:
- openvpn
tags:
- packages
- openvpn
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8
- name: Install needed packages
dnf: pkg={{ item }} state=present
@@ -17,9 +17,32 @@
tags:
- packages
- openvpn
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
-- name: Install configuration files
+- name: Install configuration files (rhel7 and fedora)
+ copy: src={{ item.file }}
+ dest={{ item.dest }}
+ owner=root group=root mode={{ item.mode }}
+ with_items:
+ - { file: client.conf,
+ dest: /etc/openvpn/client/openvpn.conf,
+ mode: '0644' }
+ - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt",
+ dest: "/etc/openvpn/client/client.crt",
+ mode: '0600' }
+ - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.key",
+ dest: "/etc/openvpn/client/client.key",
+ mode: '0600' }
+ tags:
+ - install
+ - openvpn
+# notify:
+# - restart openvpn (Fedora)
+# - restart openvpn (RHEL7)
+# - restart openvpn (RHEL6)
+ when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
+
+- name: Install configuration files (rhel6)
copy: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode={{ item.mode }}
@@ -36,29 +59,59 @@
tags:
- install
- openvpn
- notify:
- - restart openvpn (Fedora)
- - restart openvpn (RHEL7)
- - restart openvpn (RHEL6)
+# notify:
+# - restart openvpn (Fedora)
+# - restart openvpn (RHEL7)
+# - restart openvpn (RHEL6)
+ when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined
- name: enable openvpn service for rhel 6
- service: name=openvpn state=running enabled=true
+ service: name=openvpn state=started enabled=true
when: ansible_distribution_major_version|int == 6
tags:
- service
- openvpn
-- name: Make sure openvpn is running in rhel 7.1
- service: name=openvpn@openvpn state=running enabled=true
+- name: enable openvpn service for fedora 24
+ service: name=openvpn@openvpn state=started enabled=true
+ when: ansible_distribution_major_version|int == 24
+ tags:
+ - service
+ - openvpn
+
+- name: Make sure old openvpn is not running in rhel 7
+ service: name=openvpn@openvpn state=stopped enabled=false
+ when: ansible_distribution_major_version|int == 7
+ tags:
+ - service
+ - openvpn
+
+- name: Make sure openvpn is running in rhel 7
+ service: name=openvpn-client@openvpn state=started enabled=true
when: ansible_distribution_major_version|int == 7
tags:
- service
- openvpn
- name: enable openvpn service for Fedora
- service: name=openvpn@openvpn state=running enabled=true
+ service: name=openvpn-client@openvpn state=started enabled=true
when: is_fedora is defined
tags:
- service
- openvpn
+- name: Create directories for post-vpn service configs
+ file: path="/etc/systemd/system/{{item}}.service.d" state=directory
+ with_items: "{{postvpnservices}}"
+ when: is_fedora is defined or ansible_distribution_major_version|int == 7
+ tags:
+ - service
+ - openvpn
+
+- name: Deploy postvpn.conf for post-vpn services
+ copy: src=postvpn.conf dest="/etc/systemd/system/{{item}}.service.d/postvpn.conf"
+ with_items: "{{postvpnservices}}"
+ when: is_fedora is defined or ansible_distribution_major_version|int == 7
+ tags:
+ - service
+ - openvpn
diff --git a/roles/openvpn/server/tasks/main.yml b/roles/openvpn/server/tasks/main.yml
index ddde7a8..dd760b1 100644
--- a/roles/openvpn/server/tasks/main.yml
+++ b/roles/openvpn/server/tasks/main.yml
@@ -2,16 +2,16 @@
# OpenVpn server
- name: Install needed packages
- yum: pkg={{ item }} state=present
+ package: name={{ item }} state=present
with_items:
- openvpn
tags:
- packages
- openvpn
-- name: Create the /etc/openvpn/ccd/ directory
+- name: Create the /etc/openvpn/server/ccd/ directory
file: >
- dest=/etc/openvpn/ccd/
+ dest=/etc/openvpn/server/ccd/
mode=0755
owner=root
group=root
@@ -25,31 +25,38 @@
owner=root group=root mode={{ item.mode }}
with_items:
- { file: server.conf,
- dest: /etc/openvpn/openvpn.conf,
+ dest: /etc/openvpn/server/openvpn.conf,
mode: '0644' }
- { file: "{{ private }}/files/vpn/openvpn/keys/crl.pem",
- dest: /etc/openvpn/crl.pem,
+ dest: /etc/openvpn/server/crl.pem,
mode: '0644' }
- { file: "{{ private }}/files/vpn/openvpn/keys/server.crt",
- dest: /etc/openvpn/server.crt,
+ dest: /etc/openvpn/server/server.crt,
mode: '0644' }
- { file: "{{ private }}/files/vpn/openvpn/keys/server.key",
- dest: /etc/openvpn/server.key,
+ dest: /etc/openvpn/server/server.key,
mode: '0600' }
- { file: "{{ private }}/files/vpn/openvpn/keys/dh2048.pem",
- dest: /etc/openvpn/dh2048.pem,
+ dest: /etc/openvpn/server/dh2048.pem,
mode: '0644' }
tags:
- install
- openvpn
- name: Install the ccd files
- copy: src=ccd/ dest=/etc/openvpn/ccd/
+ copy: src=ccd/ dest=/etc/openvpn/server/ccd/
tags:
- openvpn
+- name: disable old openvpn service for rhel 7 or Fedora
+ service: name=openvpn@openvpn state=stopped enabled=false
+ when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined
+ tags:
+ - service
+ - openvpn
+
- name: enable openvpn service for rhel 7 or Fedora
- service: name=openvpn@openvpn state=running enabled=true
+ service: name=openvpn-server@openvpn state=started enabled=true
when: ( ansible_distribution_version[0] == 7 or is_fedora is defined ) and openvpn_master is defined
tags:
- service
6 years, 10 months
[ansible] Update openvpn base
by Nicolas Chauvet
commit 2ae1e57ea482833f9a4e2995e5dcbb2bcf02e3b2
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 22:11:21 2018 +0100
Update openvpn base
roles/openvpn/base/tasks/main.yml | 51 +++++++++++++++++++++++++++++++------
1 files changed, 43 insertions(+), 8 deletions(-)
---
diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml
index a6207a2..3037fb4 100644
--- a/roles/openvpn/base/tasks/main.yml
+++ b/roles/openvpn/base/tasks/main.yml
@@ -2,30 +2,65 @@
# OpenVpn basic configuration
- name: Install needed package
- yum: pkg={{ item }} state=present
+ package: name={{ item }} state=present
with_items:
- openvpn
tags:
+ - openvpn
- packages
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8
- name: Install needed package (dnf)
dnf: pkg={{ item }} state=present
with_items:
- openvpn
tags:
+ - openvpn
- packages
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
-- name: Install certificate and key
+- name: Install certificate and key (rhel6 and fedora24 and older)
copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt
dest=/etc/openvpn/ca.crt
owner=root group=root mode=0600
tags:
- install
- openvpn
- notify:
- - restart openvpn (Fedora)
- - restart openvpn (RHEL7)
- - restart openvpn (RHEL6)
+ #notify:
+ #- restart openvpn (Fedora)
+ #- restart openvpn (RHEL7)
+ #- restart openvpn (RHEL6)
+ when: ansible_distribution_major_version|int < 25
+
+- name: Install certificate and key (rhel7 or fedora) for client
+ copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt
+ dest=/etc/openvpn/client/ca.crt
+ owner=root group=root mode=0600
+ tags:
+ - install
+ - openvpn
+ #notify:
+ #- restart openvpn (Fedora)
+ #- restart openvpn (RHEL7)
+ #- restart openvpn (RHEL6)
+ when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24 ) and ansible_cmdline.ostree is not defined
+- name: Install certificate and key (rhel7 or fedora) for server
+ copy: src={{ private }}/files/vpn/openvpn/keys/ca.crt
+ dest=/etc/openvpn/server/ca.crt
+ owner=root group=root mode=0600
+ tags:
+ - install
+ - openvpn
+ #notify:
+ #- restart openvpn (Fedora)
+ #- restart openvpn (RHEL7)
+ #- restart openvpn (RHEL6)
+ when: inventory_hostname.startswith('bastion0')
+
+- name: install fix-routes.sh script
+ copy: src=fix-routes.sh
+ dest=/etc/openvpn/fix-routes.sh
+ owner=root group=root mode=0755
+ tags:
+ - openvpn
6 years, 10 months
[ansible] Sync fas_client
by Nicolas Chauvet
commit c21a6790f25f081a65f1fe4be24394c00fb64f7d
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 22:01:13 2018 +0100
Sync fas_client
roles/fas_client/tasks/main.yml | 34 ++++++++++++++++------------------
1 files changed, 16 insertions(+), 18 deletions(-)
---
diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml
index 1de9f37..b1f17fa 100644
--- a/roles/fas_client/tasks/main.yml
+++ b/roles/fas_client/tasks/main.yml
@@ -1,18 +1,17 @@
---
#
-# This task sets up fasClient on a machine.
+# This task sets up fasClient on a machine.
# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update.
#
#
-# fas-clients is in the infrastructure repo.
+# fas-clients is in the infrastructure repo.
# nss_db is needed to store user/group info.
#
- name: install package needed for fas-client (yum)
package: state=present name={{ item }}
with_items:
- fas-clients
- - python-bunch
- cronie
tags:
- packages
@@ -24,14 +23,14 @@
src={{files}}/hotfix/python-fedora/fas2.py
dest="{{pythonsitelib}}/fedora/client/fas2.py"
owner=root group=root mode=0644
+ when: inventory_hostname.startswith('DISABLED')
tags:
- packages
- fas_client
-- name: install nss_db on rhel hosts only
- yum: state=present name=nss_db
- when: (ansible_distribution == "CentOS" and ansible_distribution_major_version|int >= 6) or
- (ansible_distribution == "Fedora" and ansible_distribution_major_version|int >= 24)
+- name: install nss_db on rhel or fedora 25 or greater hosts only
+ package: state=present name=nss_db
+ when: ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int > 24
tags:
- packages
- fas_client
@@ -40,30 +39,29 @@
# setup /etc/nsswitch.conf to use nssdb
#
- name: setup /etc/nsswitch.conf for client use
- copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=644
+ copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=0644
tags:
- config
- fas_client
#
-# fasClients needs a valid /etc/fas.conf.
-# There's vars used in this template:
+# fasClients needs a valid /etc/fas.conf.
+# There's vars used in this template:
#
# fas_client_groups = "sysadmin-main"
# fas_client_restricted_app = ""
# fas_client_admin_app = ""
# fas_client_ssh_groups = ""
#
-# if desired, set them on a per host/group basis.
+# if desired, set them on a per host/group basis.
#
-# Currently the default template is used, but could be modified on a host basis.
+# Currently the default template is used, but could be modified on a host basis.
#
- name: setup /etc/fas.conf for client use
- template: src={{ item }} dest=/etc/fas.conf owner=root mode=600
+ template: src={{ item }} dest=/etc/fas.conf owner=root mode=0600
with_first_found:
- - ../templates/{{ ansible_fqdn }}.fas.conf.j2
+ - ../templates/{{ inventory_hostname }}.fas.conf.j2
- ../templates/{{ ansible_hostname }}.fas.conf.j2
- - ../templates/{{ ansible_hostname }}.fas.conf.j2
- ../templates/fas.conf.j2
tags:
- config
@@ -81,20 +79,20 @@
# - config
- name: fas_client cron job
- copy: src=fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644
+ copy: src=fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=0644
tags:
- config
- fas_client
- name: fas_client_aliases cron job
- copy: src=fas-client-aliases.cron dest=/etc/cron.d/fas-client-aliases owner=root mode=644
+ copy: src=fas-client-aliases.cron dest=/etc/cron.d/fas-client-aliases owner=root mode=0644
tags:
- config
- fas_client
when: fas_aliases is defined
- name: fas_client_aliases template
- copy: src={{ files }}/aliases.template dest=/etc/aliases.template owner=root mode=644
+ copy: src=aliases.template dest=/etc/aliases.template owner=root mode=0644
tags:
- config
- fas_client
6 years, 10 months
[ansible] Remove uneeded dirs
by Nicolas Chauvet
commit a1bda77185db35d7705051de6a9234dd9aea42b5
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 19:50:27 2018 +0100
Remove uneeded dirs
roles/koji_builder/tasks/main.yml | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
---
diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 204e489..2f58d21 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -57,8 +57,6 @@
with_items:
- /pub
- /mnt/rpmfusion_koji
- - /pub/fedora
- - /pub/epel
tags:
- koji_builder
6 years, 10 months
[ansible] Add selinux base modules
by Nicolas Chauvet
commit 108fb92745c64e9fe5e1d0eb6c3255a82d6c2556
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 19:28:50 2018 +0100
Add selinux base modules
roles/base/files/selinux/mapchkpwd.pp | Bin 0 -> 930 bytes
roles/base/files/selinux/mapchkpwd.te | 11 +++++++++++
roles/base/files/selinux/rsyslog-audit.pp | Bin 0 -> 7609 bytes
roles/base/files/selinux/rsyslog-audit.te | 12 ++++++++++++
4 files changed, 23 insertions(+), 0 deletions(-)
---
diff --git a/roles/base/files/selinux/mapchkpwd.pp b/roles/base/files/selinux/mapchkpwd.pp
new file mode 100644
index 0000000..09d3ad9
Binary files /dev/null and b/roles/base/files/selinux/mapchkpwd.pp differ
diff --git a/roles/base/files/selinux/mapchkpwd.te b/roles/base/files/selinux/mapchkpwd.te
new file mode 100644
index 0000000..c53be11
--- /dev/null
+++ b/roles/base/files/selinux/mapchkpwd.te
@@ -0,0 +1,11 @@
+
+module mapchkpwd 1.0;
+
+require {
+ type chkpwd_t;
+ type shadow_t;
+ class file map;
+}
+
+#============= chkpwd_t ==============
+allow chkpwd_t shadow_t:file map;
diff --git a/roles/base/files/selinux/rsyslog-audit.pp b/roles/base/files/selinux/rsyslog-audit.pp
new file mode 100644
index 0000000..f1a417f
Binary files /dev/null and b/roles/base/files/selinux/rsyslog-audit.pp differ
diff --git a/roles/base/files/selinux/rsyslog-audit.te b/roles/base/files/selinux/rsyslog-audit.te
new file mode 100644
index 0000000..a8bf497
--- /dev/null
+++ b/roles/base/files/selinux/rsyslog-audit.te
@@ -0,0 +1,12 @@
+module rsyslog-audit 1.0;
+
+require {
+ type auditd_log_t;
+ type syslogd_t;
+ class file { getattr ioctl open read };
+ class dir { getattr search };
+}
+
+#============= syslogd_t ==============
+allow syslogd_t auditd_log_t:dir { getattr search };
+allow syslogd_t auditd_log_t:file { getattr ioctl open read };
6 years, 10 months