From 431f03f3b9077a60c58b15ee282f9ec73d8772ec Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jd+github@upthedownstair.com>
Date: Sun, 25 Apr 2021 17:52:24 +0100
Subject: [PATCH] roles: Added log watching permissions to secadm and sysadm.

Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
---
 policy/modules/roles/secadm.te | 1 +
 policy/modules/roles/sysadm.te | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 9a74adb846..8231a83632 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -38,6 +38,7 @@ init_exec(secadm_t)
 logging_read_audit_log(secadm_t)
 logging_read_generic_logs(secadm_t)
 logging_read_audit_config(secadm_t)
+logging_watch_audit_log(secadm_t)
 
 optional_policy(`
 	aide_run(secadm_t, secadm_r)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index fe4ea6d72a..21a5faf6e6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -40,6 +40,9 @@ corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
 
 dev_read_kmsg(sysadm_t)
 
+logging_watch_all_logs(sysadm_t)
+logging_watch_audit_log(sysadm_t)
+
 mls_process_read_all_levels(sysadm_t)
 
 selinux_read_policy(sysadm_t)