[sysadmin-notify] [ansible] Add selinux base modules

commit 108fb92745c64e9fe5e1d0eb6c3255a82d6c2556 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Mon Feb 5 19:28:50 2018 +0100 Add selinux base modules roles/base/files/selinux/mapchkpwd.pp | Bin 0 -> 930 bytes roles/base/files/selinux/mapchkpwd.te | 11 +++++++++++ roles/base/files/selinux/rsyslog-audit.pp | Bin 0 -> 7609 bytes roles/base/files/selinux/rsyslog-audit.te | 12 ++++++++++++ 4 files changed, 23 insertions(+), 0 deletions(-) --- diff --git a/roles/base/files/selinux/mapchkpwd.pp b/roles/base/files/selinux/mapchkpwd.pp new file mode 100644 index 0000000..09d3ad9 Binary files /dev/null and b/roles/base/files/selinux/mapchkpwd.pp differ diff --git a/roles/base/files/selinux/mapchkpwd.te b/roles/base/files/selinux/mapchkpwd.te new file mode 100644 index 0000000..c53be11 --- /dev/null +++ b/roles/base/files/selinux/mapchkpwd.te @@ -0,0 +1,11 @@ + +module mapchkpwd 1.0; + +require { + type chkpwd_t; + type shadow_t; + class file map; +} + +#============= chkpwd_t ============== +allow chkpwd_t shadow_t:file map; diff --git a/roles/base/files/selinux/rsyslog-audit.pp b/roles/base/files/selinux/rsyslog-audit.pp new file mode 100644 index 0000000..f1a417f Binary files /dev/null and b/roles/base/files/selinux/rsyslog-audit.pp differ diff --git a/roles/base/files/selinux/rsyslog-audit.te b/roles/base/files/selinux/rsyslog-audit.te new file mode 100644 index 0000000..a8bf497 --- /dev/null +++ b/roles/base/files/selinux/rsyslog-audit.te @@ -0,0 +1,12 @@ +module rsyslog-audit 1.0; + +require { + type auditd_log_t; + type syslogd_t; + class file { getattr ioctl open read }; + class dir { getattr search }; +} + +#============= syslogd_t ============== +allow syslogd_t auditd_log_t:dir { getattr search }; +allow syslogd_t auditd_log_t:file { getattr ioctl open read };