From a420ce4a8146da20157ebd20b74ec02b9082e36d Mon Sep 17 00:00:00 2001
From: lopf <24865808+lopf@users.noreply.github.com>
Date: Tue, 7 Nov 2023 11:52:59 +0100
Subject: [PATCH 1/4] 32 watch permissions are required by fluentbit

---
 policy/centos9/rancher.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/centos9/rancher.te b/policy/centos9/rancher.te
index 0ecd647..a882586 100644
--- a/policy/centos9/rancher.te
+++ b/policy/centos9/rancher.te
@@ -39,14 +39,14 @@ virt_sandbox_domain(rke_logreader_t)
 corenet_unconfined(rke_logreader_t)
 allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
-allow rke_logreader_t container_log_t:file { getattr open read };
+allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
 allow rke_logreader_t var_log_t:dir read;
-allow rke_logreader_t var_log_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:file { getattr map open read watch };
 
 ########################
 # type rke_container_t #

From 28f5fff3f74d9446aadf836f2a300dd0f17986f9 Mon Sep 17 00:00:00 2001
From: lopf <24865808+lopf@users.noreply.github.com>
Date: Mon, 4 Dec 2023 15:14:29 +0100
Subject: [PATCH 2/4] watch permissions are required by fluentbit, for CentOS 8

---
 policy/centos8/rancher.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
index 0ecd647..a882586 100644
--- a/policy/centos8/rancher.te
+++ b/policy/centos8/rancher.te
@@ -39,14 +39,14 @@ virt_sandbox_domain(rke_logreader_t)
 corenet_unconfined(rke_logreader_t)
 allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
-allow rke_logreader_t container_log_t:file { getattr open read };
+allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
 allow rke_logreader_t var_log_t:dir read;
-allow rke_logreader_t var_log_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:file { getattr map open read watch };
 
 ########################
 # type rke_container_t #

From f2ea488f0efc5d9003ca571dded0d60ce48b166b Mon Sep 17 00:00:00 2001
From: lopf <24865808+lopf@users.noreply.github.com>
Date: Mon, 4 Dec 2023 15:51:24 +0100
Subject: [PATCH 3/4] Revert "watch permissions are required by fluentbit, for
 CentOS 8"

This reverts commit 28f5fff3f74d9446aadf836f2a300dd0f17986f9.
---
 policy/centos8/rancher.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
index a882586..0ecd647 100644
--- a/policy/centos8/rancher.te
+++ b/policy/centos8/rancher.te
@@ -39,14 +39,14 @@ virt_sandbox_domain(rke_logreader_t)
 corenet_unconfined(rke_logreader_t)
 allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
-allow rke_logreader_t container_log_t:file { getattr open read watch };
+allow rke_logreader_t container_log_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
 allow rke_logreader_t var_log_t:dir read;
-allow rke_logreader_t var_log_t:file { getattr map open read watch };
+allow rke_logreader_t var_log_t:file { getattr map open read };
 
 ########################
 # type rke_container_t #

From d8658811f0560bcd1725edec0e34e99369344b9f Mon Sep 17 00:00:00 2001
From: Andy Pitcher <andy.pitcher@suse.com>
Date: Mon, 4 Dec 2023 17:18:26 -0500
Subject: [PATCH 4/4] Add watch permission to class: file

---
 policy/centos8/rancher.te | 6 +++---
 policy/centos9/rancher.te | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
index 0ecd647..3ae45a3 100644
--- a/policy/centos8/rancher.te
+++ b/policy/centos8/rancher.te
@@ -31,7 +31,7 @@ gen_require(`
         type syslogd_var_run_t;
         type var_log_t;
         class dir { read search };
-        class file { open read };
+        class file { getattr map open read watch };
         class lnk_file { getattr read };
 ')
 container_domain_template(rke_logreader, container)
@@ -39,14 +39,14 @@ virt_sandbox_domain(rke_logreader_t)
 corenet_unconfined(rke_logreader_t)
 allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
-allow rke_logreader_t container_log_t:file { getattr open read };
+allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
 allow rke_logreader_t var_log_t:dir read;
-allow rke_logreader_t var_log_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:file { getattr map open read watch };
 
 ########################
 # type rke_container_t #
diff --git a/policy/centos9/rancher.te b/policy/centos9/rancher.te
index a882586..3ae45a3 100644
--- a/policy/centos9/rancher.te
+++ b/policy/centos9/rancher.te
@@ -31,7 +31,7 @@ gen_require(`
         type syslogd_var_run_t;
         type var_log_t;
         class dir { read search };
-        class file { open read };
+        class file { getattr map open read watch };
         class lnk_file { getattr read };
 ')
 container_domain_template(rke_logreader, container)