selinux-policy/policy/modules/services/accountsd.if

## <summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>

########################################
## <summary>
##	Execute a domain transition to run accountsd.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed access.
## </summary>
## </param>
#
interface(`accountsd_domtrans',`
	gen_require(`
		type accountsd_t, accountsd_exec_t;
	')

	domtrans_pattern($1, accountsd_exec_t, accountsd_t)
')

########################################
## <summary>
##	Do not audit attempts to read and write Accounts Daemon
##	fifo file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`accountsd_dontaudit_rw_fifo_file',`
	gen_require(`
		type accountsd_t;
	')

	dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Send and receive messages from
##	accountsd over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`accountsd_dbus_chat',`
	gen_require(`
		type accountsd_t;
		class dbus send_msg;
	')

	allow $1 accountsd_t:dbus send_msg;
	allow accountsd_t $1:dbus send_msg;
')

########################################
## <summary>
##	Search accountsd lib directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`accountsd_search_lib',`
	gen_require(`
		type accountsd_var_lib_t;
	')

	allow $1 accountsd_var_lib_t:dir search_dir_perms;
	files_search_var_lib($1)
')

########################################
## <summary>
##	Read accountsd lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`accountsd_read_lib_files',`
	gen_require(`
		type accountsd_var_lib_t;
	')

	files_search_var_lib($1)
	read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	accountsd lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`accountsd_manage_lib_files',`
	gen_require(`
		type accountsd_var_lib_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an accountsd environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`accountsd_admin',`
	gen_require(`
		type accountsd_t;
	')

	allow $1 accountsd_t:process { ptrace signal_perms getattr };
	ps_process_pattern($1, accountsd_t)

	accountsd_manage_lib_files($1)
')
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`## <summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>`

			`########################################`
			`## <summary>`
			`## Execute a domain transition to run accountsd.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`accountsd_domtrans',`
			gen_require(`
			`type accountsd_t, accountsd_exec_t;`
			`')`

			`domtrans_pattern($1, accountsd_exec_t, accountsd_t)`
			`')`

			`########################################`
			`## <summary>`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`## Do not audit attempts to read and write Accounts Daemon`
			`## fifo file.`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			interface(`accountsd_dontaudit_rw_fifo_file',`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			gen_require(`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`type accountsd_t;`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

			`########################################`
			`## <summary>`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`## Send and receive messages from`
			`## accountsd over dbus.`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			interface(`accountsd_dbus_chat',`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			gen_require(`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`type accountsd_t;`
			`class dbus send_msg;`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`allow $1 accountsd_t:dbus send_msg;`
			`allow accountsd_t $1:dbus send_msg;`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

			`########################################`
			`## <summary>`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`## Search accountsd lib directories.`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			interface(`accountsd_search_lib',`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			gen_require(`
			`type accountsd_var_lib_t;`
			`')`

Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`allow $1 accountsd_var_lib_t:dir search_dir_perms;`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`files_search_var_lib($1)`
			`')`

			`########################################`
			`## <summary>`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`## Read accountsd lib files.`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			interface(`accountsd_read_lib_files',`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			gen_require(`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`type accountsd_var_lib_t;`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`files_search_var_lib($1)`
			`read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

			`########################################`
			`## <summary>`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`## Create, read, write, and delete`
			`## accountsd lib files.`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			interface(`accountsd_manage_lib_files',`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			gen_require(`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`type accountsd_var_lib_t;`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`files_search_var_lib($1)`
			`manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`')`

			`########################################`
			`## <summary>`
			`## All of the rules required to administrate`
			`## an accountsd environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## Role allowed access.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`accountsd_admin',`
			gen_require(`
			`type accountsd_t;`
			`')`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00			`allow $1 accountsd_t:process { ptrace signal_perms getattr };`
Accountsd cleanup. 2010-08-03 13:50:40 +00:00			`ps_process_pattern($1, accountsd_t)`
accountsd policy from Dan Walsh Edits: - Removed accountsd_manage_var_lib - Removed optional block for xserver - these interfaces didn't exist - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid - Whitespace and style fixes 2010-07-14 18:45:39 +00:00
			`accountsd_manage_lib_files($1)`
			`')`