diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
index 71ff2f6..4c533b3 100644
--- a/policy/centos8/rancher.te
+++ b/policy/centos8/rancher.te
@@ -5,7 +5,7 @@ gen_require(`
     type kubernetes_file_t, container_log_t, syslogd_var_run_t;
     type var_log_t, container_var_run_t, container_var_lib_t;
     type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t, security_t;
-    class dir { open read search };
+    class dir { open read search watch };
     class file { getaddr getattr map open read watch relabelfrom relabelto };
     class lnk_file { getattr read };
     class tcp_socket { accept listen };
@@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
-allow rke_logreader_t syslogd_var_run_t:dir read;
+allow rke_logreader_t syslogd_var_run_t:dir { read watch };
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
-allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:dir { read watch };
 allow rke_logreader_t var_log_t:file { getattr map open read watch };
 allow rke_logreader_t self:tcp_socket listen;
 
diff --git a/policy/centos9/rancher.te b/policy/centos9/rancher.te
index 9d6ef36..3f9dc52 100644
--- a/policy/centos9/rancher.te
+++ b/policy/centos9/rancher.te
@@ -5,7 +5,7 @@ gen_require(`
     type kubernetes_file_t, container_log_t, syslogd_var_run_t;
     type var_log_t, container_var_run_t, container_var_lib_t;
     type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t;
-    class dir { open read search };
+    class dir { open read search watch };
     class file { getaddr getattr map open read watch relabelfrom relabelto };
     class lnk_file { getattr read };
     class tcp_socket { accept listen };
@@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
-allow rke_logreader_t syslogd_var_run_t:dir read;
+allow rke_logreader_t syslogd_var_run_t:dir { read watch };
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
-allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:dir { read watch };
 allow rke_logreader_t var_log_t:file { getattr map open read watch };
 allow rke_logreader_t self:tcp_socket listen;
 
diff --git a/policy/fedora41/rancher.te b/policy/fedora41/rancher.te
index 7a41d2d..6411da5 100644
--- a/policy/fedora41/rancher.te
+++ b/policy/fedora41/rancher.te
@@ -4,7 +4,7 @@ gen_require(`
     type container_runtime_t, unconfined_service_t, container_file_t;
     type kubernetes_file_t, container_log_t, syslogd_var_run_t, var_log_t;
     type container_var_run_t, iptables_var_run_t, var_run_t, kernel_t;
-    class dir { open read search };
+    class dir { open read search watch };
     class file { getaddr open read watch };
     class lnk_file { getattr read };
     class tcp_socket { listen };
@@ -36,9 +36,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
-allow rke_logreader_t syslogd_var_run_t:dir read;
+allow rke_logreader_t syslogd_var_run_t:dir { read watch };
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
-allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:dir { read watch };
 allow rke_logreader_t var_log_t:file { getattr map open read };
 allow rke_logreader_t self:tcp_socket listen;
 
diff --git a/policy/microos/rancher.te b/policy/microos/rancher.te
index 11d1608..0cdb54e 100644
--- a/policy/microos/rancher.te
+++ b/policy/microos/rancher.te
@@ -5,7 +5,7 @@ gen_require(`
     type kubernetes_file_t, container_log_t, syslogd_var_run_t;
     type var_log_t, container_var_run_t, container_var_lib_t;
     type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t;
-    class dir { open read search };
+    class dir { open read search watch };
     class file { getaddr getattr map open read watch relabelfrom relabelto };
     class lnk_file { getattr read };
     class tcp_socket { accept listen };
@@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:dir search;
 allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
-allow rke_logreader_t syslogd_var_run_t:dir read;
+allow rke_logreader_t syslogd_var_run_t:dir { read watch };
 allow rke_logreader_t syslogd_var_run_t:file { getattr open read };
-allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:dir { read watch };
 allow rke_logreader_t var_log_t:file { getattr open read };
 
 ############################################################################