Allow journald to read the kernel ring buffer and to use /dev/kmsg

audit.log shows that journald needs to read the kernel read buffer:

    avc:  denied  { syslog_read } for  pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1

Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394

policy/modules/kernel/devices.if

@@ -2196,6 +2196,24 @@ interface(`dev_write_kmsg',`
 	write_chr_files_pattern($1, device_t, kmsg_device_t)
 ')
 
+########################################
+## <summary>
+##	Read and write to the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the ksm devices.

policy/modules/system/logging.te

@@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t)
 kernel_read_vm_sysctls(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+kernel_read_ring_buffer(syslogd_t)
 # /initrd is not umounted before minilog starts
 kernel_dontaudit_search_unlabeled(syslogd_t)
 
@@ -437,6 +438,8 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+# Allow access to /dev/kmsg for journald
+dev_rw_kmsg(syslogd_t)
 
 domain_use_interactive_fds(syslogd_t)