accountsd policy from Dan Walsh

Edits:
 - Removed accountsd_manage_var_lib
 - Removed optional block for xserver - these interfaces didn't exist
 - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid
 - Whitespace and style fixes

policy/modules/admin/accountsd.fc

@@ -0,0 +1,3 @@
+/usr/libexec/accounts-daemon		--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+/var/lib/AccountsService(/.*)?			gen_context(system_u:object_r:accountsd_var_lib_t,s0)

policy/modules/admin/accountsd.if

@@ -0,0 +1,144 @@
+## <summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run accountsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_domtrans',`
+	gen_require(`
+		type accountsd_t, accountsd_exec_t;
+	')
+
+	domtrans_pattern($1, accountsd_exec_t, accountsd_t)
+')
+
+########################################
+## <summary>
+##	Search accountsd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_search_lib',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	allow $1 accountsd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read accountsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_read_lib_files',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	accountsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_manage_lib_files',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	accountsd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dbus_chat',`
+	gen_require(`
+		type accountsd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 accountsd_t:dbus send_msg;
+	allow accountsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Accounts Daemon
+##	fifo file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dontaudit_rw_fifo_file',`
+	gen_require(`
+		type accountsd_t;
+	')
+
+	dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an accountsd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`accountsd_admin',`
+	gen_require(`
+		type accountsd_t;
+	')
+	allow $1 accountsd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, accountsd_t, accountsd_t)
+
+	accountsd_manage_lib_files($1)
+')

policy/modules/admin/accountsd.te

@@ -0,0 +1,57 @@
+policy_module(accountsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type accountsd_t;
+type accountsd_exec_t;
+dbus_system_domain(accountsd_t, accountsd_exec_t)
+
+type accountsd_var_lib_t;
+files_type(accountsd_var_lib_t)
+
+########################################
+#
+# accountsd local policy
+#
+allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
+
+allow accountsd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } )
+
+kernel_read_kernel_sysctls(accountsd_t)
+
+corecmd_exec_bin(accountsd_t)
+
+files_read_usr_files(accountsd_t)
+files_read_mnt_files(accountsd_t)
+
+fs_list_inotifyfs(accountsd_t)
+fs_read_noxattr_fs_files(accountsd_t)
+
+auth_use_nsswitch(accountsd_t)
+auth_read_shadow(accountsd_t)
+
+miscfiles_read_localization(accountsd_t)
+
+logging_send_syslog_msg(accountsd_t)
+logging_set_loginuid(accountsd_t)
+
+userdom_read_user_tmp_files(accountsd_t)
+userdom_read_user_home_content_files(accountsd_t)
+
+usermanage_domtrans_useradd(accountsd_t)
+usermanage_domtrans_passwd(accountsd_t)
+
+optional_policy(`
+	consolekit_read_log(accountsd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(accountsd_t)
+')