diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
index 0ecd647..3ae45a3 100644
--- a/policy/centos8/rancher.te
+++ b/policy/centos8/rancher.te
@@ -31,7 +31,7 @@ gen_require(`
         type syslogd_var_run_t;
         type var_log_t;
         class dir { read search };
-        class file { open read };
+        class file { getattr map open read watch };
         class lnk_file { getattr read };
 ')
 container_domain_template(rke_logreader, container)
@@ -39,14 +39,14 @@ virt_sandbox_domain(rke_logreader_t)
 corenet_unconfined(rke_logreader_t)
 allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
-allow rke_logreader_t container_log_t:file { getattr open read };
+allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
 allow rke_logreader_t var_log_t:dir read;
-allow rke_logreader_t var_log_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:file { getattr map open read watch };
 
 ########################
 # type rke_container_t #
diff --git a/policy/centos9/rancher.te b/policy/centos9/rancher.te
index 0ecd647..3ae45a3 100644
--- a/policy/centos9/rancher.te
+++ b/policy/centos9/rancher.te
@@ -31,7 +31,7 @@ gen_require(`
         type syslogd_var_run_t;
         type var_log_t;
         class dir { read search };
-        class file { open read };
+        class file { getattr map open read watch };
         class lnk_file { getattr read };
 ')
 container_domain_template(rke_logreader, container)
@@ -39,14 +39,14 @@ virt_sandbox_domain(rke_logreader_t)
 corenet_unconfined(rke_logreader_t)
 allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
-allow rke_logreader_t container_log_t:file { getattr open read };
+allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
 allow rke_logreader_t var_log_t:dir read;
-allow rke_logreader_t var_log_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:file { getattr map open read watch };
 
 ########################
 # type rke_container_t #