diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 833862acf..51e51e6c3 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -367,6 +367,25 @@ interface(`miscfiles_manage_fonts',`
manage_lnk_files_pattern($1, fonts_t, fonts_t)
')
+########################################
+##
+## Watch fonts directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`miscfiles_watch_fonts_dirs',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ allow $1 fonts_t:dir watch;
+')
+
########################################
##
## Set the attributes on a fonts cache directory.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3ef0f7d6a..e4a592116 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -92,8 +92,11 @@ template(`userdom_base_user_template',`
domain_dontaudit_getsession_all_domains($1_t)
files_read_etc_files($1_t)
+ files_watch_etc_dirs($1_t)
files_read_etc_runtime_files($1_t)
files_read_usr_files($1_t)
+ files_watch_usr_dirs($1_t)
+ files_watch_runtime_dirs($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
@@ -112,6 +115,7 @@ template(`userdom_base_user_template',`
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
+ miscfiles_watch_fonts_dirs($1_t)
sysnet_read_config($1_t)
@@ -364,6 +368,8 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 user_home_dir_t:dir watch;
+
userdom_manage_user_certs($2)
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")