roles: Added log watching permissions to secadm and sysadm.

Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
2025-03-30 07:16:57 +00:00 · 2021-04-25 17:52:24 +01:00 · 2021-04-25 17:52:24 +01:00 · 431f03f3b9
commit 431f03f3b9
parent 5873a528a9
2 changed files with 4 additions and 0 deletions
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@ -38,6 +38,7 @@ init_exec(secadm_t)
 logging_read_audit_log(secadm_t)
 logging_read_generic_logs(secadm_t)
 logging_read_audit_config(secadm_t)
+logging_watch_audit_log(secadm_t)

 optional_policy(`
 	aide_run(secadm_t, secadm_r)
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@ -40,6 +40,9 @@ corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)

 dev_read_kmsg(sysadm_t)

+logging_watch_all_logs(sysadm_t)
+logging_watch_audit_log(sysadm_t)
+
 mls_process_read_all_levels(sysadm_t)

 selinux_read_policy(sysadm_t)