dbus: Add directory watches.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>

policy/modules/kernel/files.if

@@ -4908,6 +4908,24 @@ interface(`files_delete_usr_dirs',`
 	delete_dirs_pattern($1, usr_t, usr_t)
 ')
 
+########################################
+## <summary>
+##	Watch generic directories in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Delete generic files in /usr in the caller domain.

policy/modules/services/dbus.te

@@ -69,7 +69,7 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
-allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+allow system_dbusd_t dbusd_etc_t:dir { list_dir_perms watch };
 read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 
@@ -103,6 +103,7 @@ domain_read_all_domains_state(system_dbusd_t)
 
 files_list_home(system_dbusd_t)
 files_read_usr_files(system_dbusd_t)
+files_watch_usr_dirs(system_dbusd_t)
 
 fs_getattr_all_fs(system_dbusd_t)
 fs_list_inotifyfs(system_dbusd_t)