sysadm: allow sysadm to watch journal directories

Required when using 'podman logs -f' Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-02 13:47:39 -04:00 · 2022-04-02 13:47:39 -04:00 · fb531e2688
parent cf21387e29
commit fb531e2688
1 changed files with 3 additions and 0 deletions
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@ -92,6 +92,9 @@ ifdef(`init_systemd',`
 	# Allow sysadm to query and set networking settings on the system.
 	systemd_dbus_chat_networkd(sysadm_t)
 	fs_read_nsfs_files(sysadm_t)
+
+	# Allow sysadm to follow logs in the journal, i.e. with podman logs -f
+	systemd_watch_journal_dirs(sysadm_t)
 ')

 tunable_policy(`allow_ptrace',`