diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 9a74adb846..8231a83632 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -38,6 +38,7 @@ init_exec(secadm_t)
logging_read_audit_log(secadm_t)
logging_read_generic_logs(secadm_t)
logging_read_audit_config(secadm_t)
+logging_watch_audit_log(secadm_t)
optional_policy(`
aide_run(secadm_t, secadm_r)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index fe4ea6d72a..21a5faf6e6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -40,6 +40,9 @@ corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
dev_read_kmsg(sysadm_t)
+logging_watch_all_logs(sysadm_t)
+logging_watch_audit_log(sysadm_t)
+
mls_process_read_all_levels(sysadm_t)
selinux_read_policy(sysadm_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 10dee65634..bbeefe0c57 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -146,6 +146,25 @@ interface(`logging_read_audit_log',`
dontaudit $1 auditd_log_t:file map;
')
+########################################
+##
+## Watch the audit log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`logging_watch_audit_log',`
+ gen_require(`
+ type auditd_log_t;
+ ')
+
+ allow $1 auditd_log_t:file watch;
+')
+
########################################
##
## Execute auditctl in the auditctl domain.
@@ -1072,6 +1091,25 @@ interface(`logging_read_all_logs',`
read_files_pattern($1, logfile, logfile)
')
+########################################
+##
+## Watch all log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`logging_watch_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file watch;
+')
+
########################################
##
## Execute all log files in the caller domain.