From e3dc006c410465182a23dcea9f19c65756db3367 Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Fri, 24 Jan 2020 22:31:24 -0800
Subject: [PATCH] Add an interface to allow watch permission on generic device
 directories.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7f97cb26c..89beb51bb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -108,6 +108,24 @@ interface(`dev_getattr_fs',`
 	allow $1 device_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Watch the directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_watch_dev_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on /dev