rpc: allow rpc.mountd to list/watch NFS server directory

Fixes:
avc: denied { read } for pid=484 comm="rpc.mountd" name="clients"
dev="nfsd" ino=22 scontext=system_u:system_r:nfsd_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir permissive=0

avc: denied { watch } for pid=487 comm="rpc.mountd"
path="/proc/fs/nfsd/clients" dev="nfsd" ino=22
scontext=system_u:system_r:nfsd_t tcontext=system_u:object_r:nfsd_fs_t
tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>

policy/modules/kernel/filesystem.if

@@ -3758,6 +3758,24 @@ interface(`fs_list_nfsd_fs',`
 	allow $1 nfsd_fs_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Watch NFS server directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_nfsd_dirs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Getattr files on an nfsd filesystem

policy/modules/services/rpc.te

@@ -329,6 +329,8 @@ files_manage_mounttab(nfsd_t)
 fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
 fs_getattr_all_dirs(nfsd_t)
+fs_list_nfsd_fs(nfsd_t)
+fs_watch_nfsd_dirs(nfsd_t)
 fs_rw_nfsd_fs(nfsd_t)
 
 storage_dontaudit_read_fixed_disk(nfsd_t)