From c1d007563eb59a1d5ee87d10d2b3f0dde9dc20d0 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 1 Apr 2022 10:39:08 -0400
Subject: [PATCH 1/3] container: also allow containers to watch public content

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index a243eb4a5..3f6e7aea3 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -248,10 +248,12 @@ tunable_policy(`container_manage_cgroup',`
 
 tunable_policy(`container_manage_public_content',`
 	miscfiles_manage_public_files(container_domain)
+	miscfiles_watch_public_dirs(container_domain)
 ')
 
 tunable_policy(`container_read_public_content',`
 	miscfiles_read_public_files(container_domain)
+	miscfiles_watch_public_dirs(container_domain)
 ')
 
 tunable_policy(`container_use_nfs',`

From cf21387e296e0f8540d7bffeb8f3f6ba65826c06 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 2 Apr 2022 13:46:01 -0400
Subject: [PATCH 2/3] podman: allow podman to watch journal dirs

Watch access is required for 'podman logs -f' to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/podman.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index f8600a7a9..7506f9e85 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -76,6 +76,7 @@ ifdef(`init_systemd',`
 	logging_search_logs(podman_t)
 	systemd_list_journal_dirs(podman_t)
 	systemd_read_journal_files(podman_t)
+	systemd_watch_journal_dirs(podman_t)
 ')
 
 ########################################
@@ -142,6 +143,7 @@ ifdef(`init_systemd',`
 	logging_search_logs(podman_user_t)
 	systemd_list_journal_dirs(podman_user_t)
 	systemd_read_journal_files(podman_user_t)
+	systemd_watch_journal_dirs(podman_user_t)
 ')
 
 ########################################

From fb531e268874bfdd8072ac5de285a2176dbfc465 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 2 Apr 2022 13:47:39 -0400
Subject: [PATCH 3/3] sysadm: allow sysadm to watch journal directories

Required when using 'podman logs -f'

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7f8ea1d08..651c19cf2 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -92,6 +92,9 @@ ifdef(`init_systemd',`
 	# Allow sysadm to query and set networking settings on the system.
 	systemd_dbus_chat_networkd(sysadm_t)
 	fs_read_nsfs_files(sysadm_t)
+
+	# Allow sysadm to follow logs in the journal, i.e. with podman logs -f
+	systemd_watch_journal_dirs(sysadm_t)
 ')
 
 tunable_policy(`allow_ptrace',`