From 0cd4068aea9da32aaec3a0f2ee0223e9db5a6aa7 Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Wed, 18 Mar 2020 00:10:51 +0100
Subject: [PATCH 1/4] mozilla: add watch perms

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/apps/mozilla.te |    2 ++
 1 file changed, 2 insertions(+)
---
 policy/modules/apps/mozilla.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 390c02ba3..e39e38eec 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -164,9 +164,11 @@ dev_write_sound(mozilla_t)
 
 domain_dontaudit_read_all_domains_state(mozilla_t)
 
+files_watch_etc_dirs(mozilla_t)
 files_read_etc_runtime_files(mozilla_t)
 files_map_usr_files(mozilla_t)
 files_read_usr_files(mozilla_t)
+files_watch_usr_dirs(mozilla_t)
 files_read_var_files(mozilla_t)
 files_read_var_lib_files(mozilla_t)
 files_read_var_symlinks(mozilla_t)

From 77174969ba14cec6d9033417d94b2f252042f57f Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Wed, 18 Mar 2020 00:11:16 +0100
Subject: [PATCH 2/4] wm: add watch perms

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/apps/wm.if                 |    4 ++++
 policy/modules/services/networkmanager.if |   18 ++++++++++++++++++
 2 files changed, 22 insertions(+)
---
 policy/modules/apps/wm.if                 |  4 ++++
 policy/modules/services/networkmanager.if | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index 260a7b015..538d6968f 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -89,6 +89,10 @@ template(`wm_role_template',`
 		gnome_stream_connect_all_gkeyringd($1_wm_t)
 	')
 
+	optional_policy(`
+		networkmanager_watch_etc_dirs($1_wm_t)
+	')
+
 	optional_policy(`
 		policykit_run_auth($1_wm_t, $2)
 		policykit_signal_auth($1_wm_t)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 4c6dd3424..175ac7532 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -171,6 +171,24 @@ interface(`networkmanager_signal',`
 	allow $1 NetworkManager_t:process signal;
 ')
 
+########################################
+### <summary>
+###	Watch networkmanager etc dirs.
+### </summary>
+### <param name="domain">
+###	<summary>
+###	Domain allowed access.
+###	</summary>
+### </param>
+##
+interface(`networkmanager_watch_etc_dirs',`
+	gen_require(`
+		type NetworkManager_etc_t;
+	')
+
+	allow $1 NetworkManager_etc_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read networkmanager etc files.

From 8c72952ea4ce9db1a276d6c773a2de5ecc156e65 Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Thu, 19 Mar 2020 05:50:11 +0100
Subject: [PATCH 3/4] getty: add watch perms

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/system/getty.te |    1 +
 1 file changed, 1 insertion(+)
---
 policy/modules/system/getty.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 6d3c4284a..02cc2d1d8 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -46,6 +46,7 @@ files_lock_filetrans(getty_t, getty_lock_t, file)
 allow getty_t getty_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(getty_t, getty_log_t, file)
 
+allow getty_t getty_runtime_t:dir watch;
 manage_files_pattern(getty_t, getty_runtime_t, getty_runtime_t)
 files_pid_filetrans(getty_t, getty_runtime_t, file)
 

From bf806fd5891129a32fd7abc59205524f884efcae Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Thu, 19 Mar 2020 05:50:42 +0100
Subject: [PATCH 4/4] userdomain: add watch perms

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/system/miscfiles.if  |   19 +++++++++++++++++++
 policy/modules/system/userdomain.if |    6 ++++++
 2 files changed, 25 insertions(+)
---
 policy/modules/system/miscfiles.if  | 19 +++++++++++++++++++
 policy/modules/system/userdomain.if |  6 ++++++
 2 files changed, 25 insertions(+)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 833862acf..51e51e6c3 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -367,6 +367,25 @@ interface(`miscfiles_manage_fonts',`
 	manage_lnk_files_pattern($1, fonts_t, fonts_t)
 ')
 
+########################################
+## <summary>
+##	Watch fonts directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_watch_fonts_dirs',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	allow $1 fonts_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes on a fonts cache directory.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3ef0f7d6a..e4a592116 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -92,8 +92,11 @@ template(`userdom_base_user_template',`
 	domain_dontaudit_getsession_all_domains($1_t)
 
 	files_read_etc_files($1_t)
+	files_watch_etc_dirs($1_t)
 	files_read_etc_runtime_files($1_t)
 	files_read_usr_files($1_t)
+	files_watch_usr_dirs($1_t)
+	files_watch_runtime_dirs($1_t)
 	# Read directories and files with the readable_t type.
 	# This type is a general type for "world"-readable files.
 	files_list_world_readable($1_t)
@@ -112,6 +115,7 @@ template(`userdom_base_user_template',`
 
 	miscfiles_read_localization($1_t)
 	miscfiles_read_generic_certs($1_t)
+	miscfiles_watch_fonts_dirs($1_t)
 
 	sysnet_read_config($1_t)
 
@@ -364,6 +368,8 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
+	allow $2 user_home_dir_t:dir watch;
+
 	userdom_manage_user_certs($2)
 	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")