From 2604f497d25b5a43f704c69eb9d476c51d02bd77 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 27 Mar 2024 13:10:14 +0100
Subject: [PATCH] confined: Allow watching mount_var_run_t

Systems with graphical interface enabled need to watch
/run/mount/utab.event

Related: https://issues.redhat.com/browse/RHEL-23637

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 udica/macros/confined_user_macros.cil | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil
index dcb5198..fd3c2bb 100644
--- a/udica/macros/confined_user_macros.cil
+++ b/udica/macros/confined_user_macros.cil
@@ -3078,7 +3078,7 @@
         (allow utype locale_t (dir (getattr open search)))
         (allow utype locale_t (lnk_file (getattr watch)))
         (allow utype mount_var_run_t (dir (getattr open search)))
-        (allow utype mount_var_run_t (file (ioctl read getattr lock open)))
+        (allow utype mount_var_run_t (file (ioctl read getattr lock open watch)))
         (allow utype mount_var_run_t (dir (getattr open search)))
         (allow utype mount_var_run_t (dir (ioctl read getattr lock open search watch watch_reads)))
         (allow utype var_t (lnk_file (read getattr)))