[PATCH 01/10] fstools: add zfs-auto-snapshot

[PATCH 01/10] fstools: add zfs-auto-snapshot

[Jason Zaman]

Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
---
 policy/modules/system/fstools.fc | 1 +
 policy/modules/system/fstools.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce4..d871294e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,6 +49,7 @@
 /usr/bin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/zfs-auto-snapshot	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4ad6e65f..4ae0301a 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,6 +154,8 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+# for zfs/zpool
+mount_exec(fsadm_t)
 # for /run/mount/utab
 mount_getattr_runtime_files(fsadm_t)
 # losetup: bind mount_loopback_t files to loop devices
-- 
2.24.1

[PATCH 02/10] udev: Add watch perms

[Jason Zaman]

Udev watches all the fixed_disks and udevadm watches the runtime dir.

udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied

avc:  denied  { watch } for  pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/kernel/storage.if | 20 ++++++++++++++++++++
 policy/modules/system/udev.te    |  3 +++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index c14bb13b..f9dcbaf5 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',`
 	allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Watch fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_watch_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file watch;
+	allow $1 fixed_disk_device_t:chr_file watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 0ccbcb51..e0e27a9d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
 
+storage_watch_fixed_disk(udev_t)
+
 auth_read_pam_console_data(udev_t)
 auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
@@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
+allow udevadm_t udev_runtime_t:dir watch;
 
 list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
 read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
-- 
2.24.1

[PATCH 03/10] accountsd: Add watch perms

[Jason Zaman]

avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/accountsd.te |  2 ++
 policy/modules/system/logging.if     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 9bf5962a..2e13e943 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
 
 files_read_mnt_files(accountsd_t)
 files_read_usr_files(accountsd_t)
+files_watch_etc_dirs(accountsd_t)
 
 fs_getattr_xattr_fs(accountsd_t)
 fs_list_inotifyfs(accountsd_t)
@@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
 logging_list_logs(accountsd_t)
 logging_send_syslog_msg(accountsd_t)
 logging_set_loginuid(accountsd_t)
+logging_watch_generic_logs_dir(accountsd_t)
 
 userdom_read_user_tmp_files(accountsd_t)
 userdom_read_user_home_content_files(accountsd_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9c7a0dba..b2bba984 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
 	manage_files_pattern($1, var_log_t, var_log_t)
 ')
 
+########################################
+## <summary>
+##	Watch generic log dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_watch_generic_logs_dir',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
-- 
2.24.1

[PATCH 04/10] cron: watch cron spool

[Jason Zaman]

avc:  denied  { watch } for  pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/cron.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 46b64016..dbbd9dbf 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
 files_pid_filetrans(crond_t, crond_runtime_t, file)
 
 manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+allow crond_t cron_spool_t:dir watch;
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
 
 list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+allow crond_t system_cron_spool_t:dir watch;
+allow crond_t system_cron_spool_t:file watch;
 
 rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:dir watch;
 
 manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
 
-- 
2.24.1

[PATCH 05/10] colord: add watch perms

[Jason Zaman]

avc:  denied  { watch } for  pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/colord.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 24eda8a9..44f2b049 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -42,6 +42,7 @@ fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
 manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
+allow colord_t colord_var_lib_t:dir watch;
 
 kernel_read_crypto_sysctls(colord_t)
 kernel_read_device_sysctls(colord_t)
@@ -82,6 +83,7 @@ domain_use_interactive_fds(colord_t)
 files_list_mnt(colord_t)
 files_read_usr_files(colord_t)
 files_map_usr_files(colord_t)
+files_watch_usr_dirs(colord_t)
 
 fs_getattr_noxattr_fs(colord_t)
 fs_getattr_tmpfs(colord_t)
-- 
2.24.1

[PATCH 06/10] policykit devicekit: Add watch perms

[Jason Zaman]

avc:  denied  { watch } for  pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/consolekit.if | 18 ++++++++++++++++++
 policy/modules/services/devicekit.te  |  1 +
 policy/modules/services/policykit.te  |  3 +++
 3 files changed, 22 insertions(+)

diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index 9aa0dbce..422c19cd 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -121,3 +121,21 @@ interface(`consolekit_read_pid_files',`
 	allow $1 consolekit_runtime_t:dir list_dir_perms;
 	read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t)
 ')
+
+########################################
+## <summary>
+##	Watch consolekit runtime dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_watch_runtime_dir',`
+	gen_require(`
+		type consolekit_runtime_t;
+	')
+
+	allow $1 consolekit_runtime_t:dir watch;
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f58a7a19..ed88f10b 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -127,6 +127,7 @@ files_manage_boot_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
 files_read_etc_runtime_files(devicekit_disk_t)
 files_read_usr_files(devicekit_disk_t)
+files_watch_etc_dirs(devicekit_disk_t)
 
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 04e88500..4989157c 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -95,6 +95,8 @@ dev_read_urand(policykit_t)
 domain_read_all_domains_state(policykit_t)
 
 files_dontaudit_search_all_mountpoints(policykit_t)
+files_watch_etc_dirs(policykit_t)
+files_watch_usr_dirs(policykit_t)
 
 fs_getattr_xattr_fs(policykit_t)
 fs_list_inotifyfs(policykit_t)
@@ -127,6 +129,7 @@ optional_policy(`
 
 optional_policy(`
 	consolekit_read_pid_files(policykit_t)
+	consolekit_watch_runtime_dir(policykit_t)
 ')
 
 optional_policy(`
-- 
2.24.1

[PATCH 07/10] userdomain: Add watch on home dirs

[Jason Zaman]

avc:  denied  { watch } for  pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/xserver.if  |  11 +-
 policy/modules/system/miscfiles.if  |  37 ++++++
 policy/modules/system/userdomain.if |  15 +++
 policy/modules/system/xdg.if        | 198 ++++++++++++++++++++++++++++
 4 files changed, 260 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c95a6b04..99c1a7ea 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
 	dev_rw_usbfs($2)
 
 	miscfiles_read_fonts($2)
+	miscfiles_watch_fonts_dirs($2)
 
 	xserver_common_x_domain_template(user, $2)
 	xserver_domtrans($2)
@@ -186,10 +187,13 @@ interface(`xserver_role',`
 	optional_policy(`
 		xdg_manage_all_cache($2)
 		xdg_relabel_all_cache($2)
+		xdg_watch_all_cache_dirs($2)
 		xdg_manage_all_config($2)
 		xdg_relabel_all_config($2)
+		xdg_watch_all_config_dirs($2)
 		xdg_manage_all_data($2)
 		xdg_relabel_all_data($2)
+		xdg_watch_all_data_dirs($2)
 
 		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
 		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
@@ -203,14 +207,19 @@ interface(`xserver_role',`
 
 		xdg_manage_documents($2)
 		xdg_relabel_documents($2)
+		xdg_watch_documents_dirs($2)
 		xdg_manage_downloads($2)
 		xdg_relabel_downloads($2)
+		xdg_watch_downloads_dirs($2)
 		xdg_manage_music($2)
 		xdg_relabel_music($2)
+		xdg_watch_music_dirs($2)
 		xdg_manage_pictures($2)
 		xdg_relabel_pictures($2)
+		xdg_watch_pictures_dirs($2)
 		xdg_manage_videos($2)
 		xdg_relabel_videos($2)
+		xdg_watch_videos_dirs($2)
 
 		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
 	')
 
 	# Read per user fonts
-	allow $1 user_fonts_t:dir list_dir_perms;
+	allow $1 user_fonts_t:dir { list_dir_perms watch };
 	allow $1 user_fonts_t:file { map read_file_perms };
 
 	# Manipulate the global font cache
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 47330a48..6fbacc04 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -252,6 +252,25 @@ interface(`miscfiles_manage_generic_tls_privkey_files',`
 	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
 ')
 
+########################################
+## <summary>
+##	Watch fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_watch_fonts_dirs',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	allow $1 fonts_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read fonts.
@@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
 	manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
 ')
 
+########################################
+## <summary>
+##	Watch public files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_watch_public_dirs',`
+	gen_require(`
+		type public_content_rw_t;
+	')
+
+	allow $1 public_content_rw_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index dd555850..6645c56a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -285,6 +285,12 @@ interface(`userdom_ro_home_role',`
 	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
 	files_list_home($2)
 
+	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_list_nfs($2)
 		fs_read_nfs_files($2)
@@ -364,6 +370,12 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
+	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+	allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+
 	userdom_manage_user_certs($2)
 	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
 
@@ -618,6 +630,8 @@ template(`userdom_common_user_template',`
 	files_read_var_lib_files($1_t)
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)
+	files_watch_etc_dirs($1_t)
+	files_watch_usr_dirs($1_t)
 
 	fs_rw_cgroup_files($1_t)
 
@@ -1166,6 +1180,7 @@ template(`userdom_unpriv_user_template', `
 	files_exec_usr_files($1_t)
 
 	miscfiles_manage_public_files($1_t)
+	miscfiles_watch_public_dirs($1_t)
 
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 11fc4306..82304241 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg cache home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_cache_dirs',`
+	gen_require(`
+		type xdg_cache_t;
+	')
+
+	allow $1 xdg_cache_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg cache home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_cache_dirs',`
+	gen_require(`
+		attribute xdg_cache_type;
+	')
+
+	allow $1 xdg_cache_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg cache home files
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg config home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_config_dirs',`
+	gen_require(`
+		type xdg_config_t;
+	')
+
+	allow $1 xdg_config_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg config home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_config_dirs',`
+	gen_require(`
+		attribute xdg_config_type;
+	')
+
+	allow $1 xdg_config_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg config home files
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg data home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_data_dirs',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	allow $1 xdg_data_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Watch all the xdg data home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_all_data_dirs',`
+	gen_require(`
+		attribute xdg_data_type;
+	')
+
+	allow $1 xdg_data_type:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg data home files
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg documents home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_documents_dirs',`
+	gen_require(`
+		type xdg_documents_t;
+	')
+
+	allow $1 xdg_documents_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in the user home dir with an automatic type transition to
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg downloads home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_downloads_dirs',`
+	gen_require(`
+		type xdg_downloads_t;
+	')
+
+	allow $1 xdg_downloads_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read downloaded content
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg pictures home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_pictures_dirs',`
+	gen_require(`
+		type xdg_pictures_t;
+	')
+
+	allow $1 xdg_pictures_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user pictures content
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg music home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_music_dirs',`
+	gen_require(`
+		type xdg_music_t;
+	')
+
+	allow $1 xdg_music_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user music content
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Watch the xdg video content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_videos_dirs',`
+	gen_require(`
+		type xdg_videos_t;
+	')
+
+	allow $1 xdg_videos_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read user video content
-- 
2.24.1

[PATCH 08/10] dbus: add watch perms

[Jason Zaman]

avc:  denied  { watch } for  pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/dbus.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4e395f7f..6f9835c6 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -219,6 +219,7 @@ allow session_bus_type self:netlink_selinux_socket create_socket_perms;
 allow session_bus_type dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+allow session_bus_type dbusd_etc_t:dir watch;
 
 manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
 manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
@@ -258,6 +259,7 @@ domain_use_interactive_fds(session_bus_type)
 
 files_list_home(session_bus_type)
 files_read_usr_files(session_bus_type)
+files_watch_usr_dirs(session_bus_type)
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
-- 
2.24.1

[PATCH 09/10] chromium: watch etc dirs

[Jason Zaman]

avc:  denied  { watch } for  pid=44464 comm="ThreadPoolForeg" path="/etc" dev="zfs" ino=1436 scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/apps/chromium.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 255ef557..0e8cc1e5 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -156,6 +156,7 @@ files_search_home(chromium_t)
 files_read_usr_files(chromium_t)
 files_map_usr_files(chromium_t)
 files_read_etc_files(chromium_t)
+files_watch_etc_dirs(chromium_t)
 # During find for /etc/whatever-release we get lots of output otherwise
 files_dontaudit_getattr_all_dirs(chromium_t)
 
-- 
2.24.1

[PATCH 10/10] gpg: add watch perms for agent

[Jason Zaman]

avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/apps/gpg.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 90508415..d007b6ac 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -229,9 +229,11 @@ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+allow gpg_agent_t gpg_secret_t:dir watch;
 
 manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
 userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+allow gpg_agent_t gpg_runtime_t:dir watch;
 
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-- 
2.24.1

Re: [PATCH 01/10] fstools: add zfs-auto-snapshot

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> Should be in domain fstools_t, and needs to run zpool which is
> mount_exec_t.
> 
> type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563084061.269:2472): cwd="/root"
> type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
> ---
>   policy/modules/system/fstools.fc | 1 +
>   policy/modules/system/fstools.te | 2 ++
>   2 files changed, 3 insertions(+)
> 
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 8fbd5ce4..d871294e 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -49,6 +49,7 @@
>   /usr/bin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/usr/bin/zfs-auto-snapshot	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 4ad6e65f..4ae0301a 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -154,6 +154,8 @@ logging_send_syslog_msg(fsadm_t)
>   
>   miscfiles_read_localization(fsadm_t)
>   
> +# for zfs/zpool
> +mount_exec(fsadm_t)
>   # for /run/mount/utab
>   mount_getattr_runtime_files(fsadm_t)
>   # losetup: bind mount_loopback_t files to loop devices

Merged.

-- 
Chris PeBenito

Re: [PATCH 02/10] udev: Add watch perms

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> Udev watches all the fixed_disks and udevadm watches the runtime dir.
> 
> udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied
> 
> avc:  denied  { watch } for  pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/kernel/storage.if | 20 ++++++++++++++++++++
>   policy/modules/system/udev.te    |  3 +++
>   2 files changed, 23 insertions(+)
> 
> diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
> index c14bb13b..f9dcbaf5 100644
> --- a/policy/modules/kernel/storage.if
> +++ b/policy/modules/kernel/storage.if
> @@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',`
>   	allow $1 fixed_disk_device_t:blk_file getattr;
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_watch_fixed_disk',`
> +	gen_require(`
> +		type fixed_disk_device_t;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 fixed_disk_device_t:blk_file watch;
> +	allow $1 fixed_disk_device_t:chr_file watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to get the attributes
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 0ccbcb51..e0e27a9d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t)
>   selinux_compute_relabel_context(udev_t)
>   selinux_compute_user_contexts(udev_t)
>   
> +storage_watch_fixed_disk(udev_t)
> +
>   auth_read_pam_console_data(udev_t)
>   auth_domtrans_pam_console(udev_t)
>   auth_use_nsswitch(udev_t)
> @@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
>   delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
>   list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
>   read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
> +allow udevadm_t udev_runtime_t:dir watch;
>   
>   list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
>   read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)

Merged.

-- 
Chris PeBenito

Re: [PATCH 03/10] accountsd: Add watch perms

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/accountsd.te |  2 ++
>   policy/modules/system/logging.if     | 18 ++++++++++++++++++
>   2 files changed, 20 insertions(+)
> 
> diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
> index 9bf5962a..2e13e943 100644
> --- a/policy/modules/services/accountsd.te
> +++ b/policy/modules/services/accountsd.te
> @@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
>   
>   files_read_mnt_files(accountsd_t)
>   files_read_usr_files(accountsd_t)
> +files_watch_etc_dirs(accountsd_t)
>   
>   fs_getattr_xattr_fs(accountsd_t)
>   fs_list_inotifyfs(accountsd_t)
> @@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
>   logging_list_logs(accountsd_t)
>   logging_send_syslog_msg(accountsd_t)
>   logging_set_loginuid(accountsd_t)
> +logging_watch_generic_logs_dir(accountsd_t)
>   
>   userdom_read_user_tmp_files(accountsd_t)
>   userdom_read_user_home_content_files(accountsd_t)
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index 9c7a0dba..b2bba984 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
>   	manage_files_pattern($1, var_log_t, var_log_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch generic log dirs.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_watch_generic_logs_dir',`
> +	gen_require(`
> +		type var_log_t;
> +	')
> +
> +	allow $1 var_log_t:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	All of the rules required to administrate

Merged.

-- 
Chris PeBenito

Re: [PATCH 05/10] colord: add watch perms

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc:  denied  { watch } for  pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/colord.te | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
> index 24eda8a9..44f2b049 100644
> --- a/policy/modules/services/colord.te
> +++ b/policy/modules/services/colord.te
> @@ -42,6 +42,7 @@ fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
>   manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>   manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
>   files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
> +allow colord_t colord_var_lib_t:dir watch;
>   
>   kernel_read_crypto_sysctls(colord_t)
>   kernel_read_device_sysctls(colord_t)
> @@ -82,6 +83,7 @@ domain_use_interactive_fds(colord_t)
>   files_list_mnt(colord_t)
>   files_read_usr_files(colord_t)
>   files_map_usr_files(colord_t)
> +files_watch_usr_dirs(colord_t)
>   
>   fs_getattr_noxattr_fs(colord_t)
>   fs_getattr_tmpfs(colord_t)

Merged.

-- 
Chris PeBenito

Re: [PATCH 04/10] cron: watch cron spool

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc:  denied  { watch } for  pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/cron.te | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
> index 46b64016..dbbd9dbf 100644
> --- a/policy/modules/services/cron.te
> +++ b/policy/modules/services/cron.te
> @@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
>   files_pid_filetrans(crond_t, crond_runtime_t, file)
>   
>   manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
> +allow crond_t cron_spool_t:dir watch;
>   
>   manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
>   manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
> @@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
>   
>   list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
>   read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
> +allow crond_t system_cron_spool_t:dir watch;
> +allow crond_t system_cron_spool_t:file watch;
>   
>   rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
>   manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
>   manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
> +allow crond_t user_cron_spool_t:dir watch;
>   
>   manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)

Merged.


-- 
Chris PeBenito

Re: [PATCH 08/10] dbus: add watch perms

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc:  denied  { watch } for  pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/dbus.te | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 4e395f7f..6f9835c6 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -219,6 +219,7 @@ allow session_bus_type self:netlink_selinux_socket create_socket_perms;
>   allow session_bus_type dbusd_etc_t:dir list_dir_perms;
>   read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
>   read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
> +allow session_bus_type dbusd_etc_t:dir watch;
>   
>   manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
>   manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
> @@ -258,6 +259,7 @@ domain_use_interactive_fds(session_bus_type)
>   
>   files_list_home(session_bus_type)
>   files_read_usr_files(session_bus_type)
> +files_watch_usr_dirs(session_bus_type)
>   files_dontaudit_search_var(session_bus_type)
>   
>   fs_getattr_romfs(session_bus_type)


Merged.


-- 
Chris PeBenito

Re: [PATCH 06/10] policykit devicekit: Add watch perms

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc:  denied  { watch } for  pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/consolekit.if | 18 ++++++++++++++++++
>   policy/modules/services/devicekit.te  |  1 +
>   policy/modules/services/policykit.te  |  3 +++
>   3 files changed, 22 insertions(+)
> 
> diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
> index 9aa0dbce..422c19cd 100644
> --- a/policy/modules/services/consolekit.if
> +++ b/policy/modules/services/consolekit.if
> @@ -121,3 +121,21 @@ interface(`consolekit_read_pid_files',`
>   	allow $1 consolekit_runtime_t:dir list_dir_perms;
>   	read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t)
>   ')
> +
> +########################################
> +## <summary>
> +##	Watch consolekit runtime dir.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`consolekit_watch_runtime_dir',`
> +	gen_require(`
> +		type consolekit_runtime_t;
> +	')
> +
> +	allow $1 consolekit_runtime_t:dir watch;
> +')
> diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
> index f58a7a19..ed88f10b 100644
> --- a/policy/modules/services/devicekit.te
> +++ b/policy/modules/services/devicekit.te
> @@ -127,6 +127,7 @@ files_manage_boot_dirs(devicekit_disk_t)
>   files_manage_mnt_dirs(devicekit_disk_t)
>   files_read_etc_runtime_files(devicekit_disk_t)
>   files_read_usr_files(devicekit_disk_t)
> +files_watch_etc_dirs(devicekit_disk_t)
>   
>   fs_getattr_all_fs(devicekit_disk_t)
>   fs_list_inotifyfs(devicekit_disk_t)
> diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
> index 04e88500..4989157c 100644
> --- a/policy/modules/services/policykit.te
> +++ b/policy/modules/services/policykit.te
> @@ -95,6 +95,8 @@ dev_read_urand(policykit_t)
>   domain_read_all_domains_state(policykit_t)
>   
>   files_dontaudit_search_all_mountpoints(policykit_t)
> +files_watch_etc_dirs(policykit_t)
> +files_watch_usr_dirs(policykit_t)
>   
>   fs_getattr_xattr_fs(policykit_t)
>   fs_list_inotifyfs(policykit_t)
> @@ -127,6 +129,7 @@ optional_policy(`
>   
>   optional_policy(`
>   	consolekit_read_pid_files(policykit_t)
> +	consolekit_watch_runtime_dir(policykit_t)
>   ')
>   
>   optional_policy(`

Merged.

-- 
Chris PeBenito

Re: [PATCH 07/10] userdomain: Add watch on home dirs

[Chris PeBenito]

On 2/16/20 3:03 PM, Jason Zaman wrote:
> avc:  denied  { watch } for  pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
> avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/xserver.if  |  11 +-
>   policy/modules/system/miscfiles.if  |  37 ++++++
>   policy/modules/system/userdomain.if |  15 +++
>   policy/modules/system/xdg.if        | 198 ++++++++++++++++++++++++++++
>   4 files changed, 260 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index c95a6b04..99c1a7ea 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
>   	dev_rw_usbfs($2)
>   
>   	miscfiles_read_fonts($2)
> +	miscfiles_watch_fonts_dirs($2)
>   
>   	xserver_common_x_domain_template(user, $2)
>   	xserver_domtrans($2)
> @@ -186,10 +187,13 @@ interface(`xserver_role',`
>   	optional_policy(`
>   		xdg_manage_all_cache($2)
>   		xdg_relabel_all_cache($2)
> +		xdg_watch_all_cache_dirs($2)
>   		xdg_manage_all_config($2)
>   		xdg_relabel_all_config($2)
> +		xdg_watch_all_config_dirs($2)
>   		xdg_manage_all_data($2)
>   		xdg_relabel_all_data($2)
> +		xdg_watch_all_data_dirs($2)
>   
>   		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
>   		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
> @@ -203,14 +207,19 @@ interface(`xserver_role',`
>   
>   		xdg_manage_documents($2)
>   		xdg_relabel_documents($2)
> +		xdg_watch_documents_dirs($2)
>   		xdg_manage_downloads($2)
>   		xdg_relabel_downloads($2)
> +		xdg_watch_downloads_dirs($2)
>   		xdg_manage_music($2)
>   		xdg_relabel_music($2)
> +		xdg_watch_music_dirs($2)
>   		xdg_manage_pictures($2)
>   		xdg_relabel_pictures($2)
> +		xdg_watch_pictures_dirs($2)
>   		xdg_manage_videos($2)
>   		xdg_relabel_videos($2)
> +		xdg_watch_videos_dirs($2)
>   
>   		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
>   	')
> @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
>   	')
>   
>   	# Read per user fonts
> -	allow $1 user_fonts_t:dir list_dir_perms;
> +	allow $1 user_fonts_t:dir { list_dir_perms watch };
>   	allow $1 user_fonts_t:file { map read_file_perms };
>   
>   	# Manipulate the global font cache
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 47330a48..6fbacc04 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -252,6 +252,25 @@ interface(`miscfiles_manage_generic_tls_privkey_files',`
>   	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch fonts.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_watch_fonts_dirs',`
> +	gen_require(`
> +		type fonts_t;
> +	')
> +
> +	allow $1 fonts_t:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read fonts.
> @@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
>   	manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch public files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`miscfiles_watch_public_dirs',`
> +	gen_require(`
> +		type public_content_rw_t;
> +	')
> +
> +	allow $1 public_content_rw_t:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read TeX data
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index dd555850..6645c56a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -285,6 +285,12 @@ interface(`userdom_ro_home_role',`
>   	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
>   	files_list_home($2)
>   
> +	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +
>   	tunable_policy(`use_nfs_home_dirs',`
>   		fs_list_nfs($2)
>   		fs_read_nfs_files($2)
> @@ -364,6 +370,12 @@ interface(`userdom_manage_home_role',`
>   	# cjp: this should probably be removed:
>   	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
>   
> +	allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +	allow $2 { user_home_t user_home_dir_t }:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
> +

This hunk and the one above are overspecified.  There shouldn't be any 
user_home_dir_t files/lnk_files/sock_files/fifo_files.



>   	userdom_manage_user_certs($2)
>   	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
>   
> @@ -618,6 +630,8 @@ template(`userdom_common_user_template',`
>   	files_read_var_lib_files($1_t)
>   	# Stat lost+found.
>   	files_getattr_lost_found_dirs($1_t)
> +	files_watch_etc_dirs($1_t)
> +	files_watch_usr_dirs($1_t)
>   
>   	fs_rw_cgroup_files($1_t)
>   
> @@ -1166,6 +1180,7 @@ template(`userdom_unpriv_user_template', `
>   	files_exec_usr_files($1_t)
>   
>   	miscfiles_manage_public_files($1_t)
> +	miscfiles_watch_public_dirs($1_t)
>   
>   	tunable_policy(`user_dmesg',`
>   		kernel_read_ring_buffer($1_t)
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 11fc4306..82304241 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_cache_dirs',`
> +	gen_require(`
> +		type xdg_cache_t;
> +	')
> +
> +	allow $1 xdg_cache_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +##	Watch all the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_cache_dirs',`
> +	gen_require(`
> +		attribute xdg_cache_type;
> +	')
> +
> +	allow $1 xdg_cache_type:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read the xdg cache home files
> @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_config_dirs',`
> +	gen_require(`
> +		type xdg_config_t;
> +	')
> +
> +	allow $1 xdg_config_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +##	Watch all the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_config_dirs',`
> +	gen_require(`
> +		attribute xdg_config_type;
> +	')
> +
> +	allow $1 xdg_config_type:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read the xdg config home files
> @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_data_dirs',`
> +	gen_require(`
> +		type xdg_data_t;
> +	')
> +
> +	allow $1 xdg_data_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +##	Watch all the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_data_dirs',`
> +	gen_require(`
> +		attribute xdg_data_type;
> +	')
> +
> +	allow $1 xdg_data_type:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read the xdg data home files
> @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg documents home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_documents_dirs',`
> +	gen_require(`
> +		type xdg_documents_t;
> +	')
> +
> +	allow $1 xdg_documents_t:dir watch;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Create objects in the user home dir with an automatic type transition to
> @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg downloads home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_downloads_dirs',`
> +	gen_require(`
> +		type xdg_downloads_t;
> +	')
> +
> +	allow $1 xdg_downloads_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read downloaded content
> @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg pictures home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_pictures_dirs',`
> +	gen_require(`
> +		type xdg_pictures_t;
> +	')
> +
> +	allow $1 xdg_pictures_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read user pictures content
> @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg music home directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_music_dirs',`
> +	gen_require(`
> +		type xdg_music_t;
> +	')
> +
> +	allow $1 xdg_music_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read user music content
> @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
>   	userdom_search_user_home_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Watch the xdg video content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_watch_videos_dirs',`
> +	gen_require(`
> +		type xdg_videos_t;
> +	')
> +
> +	allow $1 xdg_videos_t:dir watch;
> +')
> +
>   #########################################
>   ## <summary>
>   ##	Read user video content
> 


-- 
Chris PeBenito

[PATCH 02/10] udev: Add watch perms

[Jason Zaman]

From: Jason Zaman <perfinion@gentoo.org>

Udev watches all the fixed_disks and udevadm watches the runtime dir.

udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied

avc:  denied  { watch } for  pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
---
 policy/modules/kernel/storage.if | 20 ++++++++++++++++++++
 policy/modules/system/udev.te    |  3 +++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index c14bb13b..f9dcbaf5 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',`
 	allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Watch fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_watch_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file watch;
+	allow $1 fixed_disk_device_t:chr_file watch;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 0ccbcb51..e0e27a9d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
 
+storage_watch_fixed_disk(udev_t)
+
 auth_read_pam_console_data(udev_t)
 auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
@@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
+allow udevadm_t udev_runtime_t:dir watch;
 
 list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
 read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
-- 
2.24.1