From 431f03f3b9077a60c58b15ee282f9ec73d8772ec Mon Sep 17 00:00:00 2001 From: Jonathan Davies <jd+github@upthedownstair.com> Date: Sun, 25 Apr 2021 17:52:24 +0100 Subject: [PATCH] roles: Added log watching permissions to secadm and sysadm. Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com> --- policy/modules/roles/secadm.te | 1 + policy/modules/roles/sysadm.te | 3 +++ 2 files changed, 4 insertions(+) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index 9a74adb846..8231a83632 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -38,6 +38,7 @@ init_exec(secadm_t) logging_read_audit_log(secadm_t) logging_read_generic_logs(secadm_t) logging_read_audit_config(secadm_t) +logging_watch_audit_log(secadm_t) optional_policy(` aide_run(secadm_t, secadm_r) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index fe4ea6d72a..21a5faf6e6 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -40,6 +40,9 @@ corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) dev_read_kmsg(sysadm_t) +logging_watch_all_logs(sysadm_t) +logging_watch_audit_log(sysadm_t) + mls_process_read_all_levels(sysadm_t) selinux_read_policy(sysadm_t)