From 60983561be0c4ec93562244ab4e474ad74df0fe2 Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Thu, 5 Jan 2017 11:34:11 +0100
Subject: [PATCH] sysadm: fix denials

allow to read kmesg and the selinux policy
---
 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index ce1c76560..4e9262197 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -27,8 +27,12 @@ ifndef(`enable_mls',`
 
 corecmd_exec_shell(sysadm_t)
 
+dev_read_kmsg(sysadm_t)
+
 mls_process_read_all_levels(sysadm_t)
 
+selinux_read_policy(sysadm_t)
+
 ubac_process_exempt(sysadm_t)
 ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)