From 16a50b269e6c57211cb1bcc5a999128215478a28 Mon Sep 17 00:00:00 2001
From: Peter Hunt <pehunt@redhat.com>
Date: Tue, 4 Feb 2025 15:32:10 -0500
Subject: [PATCH] container_log{reader,writer}_t: allow watch file

Signed-off-by: Peter Hunt <pehunt@redhat.com>
---
 container.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/container.te b/container.te
index 05a4f64..e2ebdf2 100644
--- a/container.te
+++ b/container.te
@@ -1253,6 +1253,7 @@ logging_read_all_logs(container_logreader_t)
 allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
 logging_read_audit_log(container_logreader_t)
 logging_list_logs(container_logreader_t)
+allow container_logreader_t container_log_t:file watch;
 
 # Container Logwriter
 container_domain_template(container_logwriter, container)
@@ -1262,6 +1263,7 @@ manage_files_pattern(container_logwriter_t, logfile, logfile)
 manage_dirs_pattern(container_logwriter_t, logfile, logfile)
 manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
 logging_manage_audit_log(container_logwriter_t)
+allow container_logwriter_t container_log_t:file watch;
 
 optional_policy(`
 	gen_require(`