From 8f2bc7350094d47d30329bb71a61015b285f5d90 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar@tresys.com>
Date: Sun, 10 Dec 2023 20:15:07 -0500
Subject: [PATCH] Allow policykit to watch it's directory.

node=localhost type=AVC msg=audit(1701959029.653:505): avc:  denied  { watch } for  pid=1861 comm="pkla-check-auth" path="/var/lib/polkit-1/localauthority/10-vendor.d" dev="dm-9" ino=262176 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:policykit_var_lib_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/policykit.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 82e9d5557e..78b8a92a39 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -76,6 +76,7 @@ allow policykit_t self:unix_stream_socket { accept connectto listen };
 
 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
 
+allow policykit_t policykit_var_lib_t:dir watch;
 manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
 
 manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)