diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index 292dadd..c0f858d 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -20,7 +20,8 @@ interface(`accountsd_domtrans',`
########################################
##
-## Search accountsd lib directories.
+## Do not audit attempts to read and write Accounts Daemon
+## fifo file.
##
##
##
@@ -28,18 +29,18 @@ interface(`accountsd_domtrans',`
##
##
#
-interface(`accountsd_search_lib',`
+interface(`accountsd_dontaudit_rw_fifo_file',`
gen_require(`
- type accountsd_var_lib_t;
+ type accountsd_t;
')
- allow $1 accountsd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
+ dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
')
########################################
##
-## Read accountsd lib files.
+## Send and receive messages from
+## accountsd over dbus.
##
##
##
@@ -47,19 +48,19 @@ interface(`accountsd_search_lib',`
##
##
#
-interface(`accountsd_read_lib_files',`
+interface(`accountsd_dbus_chat',`
gen_require(`
- type accountsd_var_lib_t;
+ type accountsd_t;
+ class dbus send_msg;
')
- files_search_var_lib($1)
- read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+ allow $1 accountsd_t:dbus send_msg;
+ allow accountsd_t $1:dbus send_msg;
')
########################################
##
-## Create, read, write, and delete
-## accountsd lib files.
+## Search accountsd lib directories.
##
##
##
@@ -67,19 +68,18 @@ interface(`accountsd_read_lib_files',`
##
##
#
-interface(`accountsd_manage_lib_files',`
+interface(`accountsd_search_lib',`
gen_require(`
type accountsd_var_lib_t;
')
+ allow $1 accountsd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
- manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
')
########################################
##
-## Send and receive messages from
-## accountsd over dbus.
+## Read accountsd lib files.
##
##
##
@@ -87,20 +87,19 @@ interface(`accountsd_manage_lib_files',`
##
##
#
-interface(`accountsd_dbus_chat',`
+interface(`accountsd_read_lib_files',`
gen_require(`
- type accountsd_t;
- class dbus send_msg;
+ type accountsd_var_lib_t;
')
- allow $1 accountsd_t:dbus send_msg;
- allow accountsd_t $1:dbus send_msg;
+ files_search_var_lib($1)
+ read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
')
########################################
##
-## Do not audit attempts to read and write Accounts Daemon
-## fifo file.
+## Create, read, write, and delete
+## accountsd lib files.
##
##
##
@@ -108,12 +107,13 @@ interface(`accountsd_dbus_chat',`
##
##
#
-interface(`accountsd_dontaudit_rw_fifo_file',`
+interface(`accountsd_manage_lib_files',`
gen_require(`
- type accountsd_t;
+ type accountsd_var_lib_t;
')
- dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms;
+ files_search_var_lib($1)
+ manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
')
########################################
@@ -137,8 +137,9 @@ interface(`accountsd_admin',`
gen_require(`
type accountsd_t;
')
+
allow $1 accountsd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, accountsd_t, accountsd_t)
+ ps_process_pattern($1, accountsd_t)
accountsd_manage_lib_files($1)
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index eced3f6..1632f10 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -16,13 +16,13 @@ files_type(accountsd_var_lib_t)
#
# accountsd local policy
#
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
allow accountsd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } )
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
kernel_read_kernel_sysctls(accountsd_t)