From 5479cf39984593b8dc7e04fe443b5cde73926c0d Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 15 2012 10:27:27 +0000 Subject: Changes to the accountsservice policy module Various fixes from Fedora Various cleanups Signed-off-by: Dominick Grift --- diff --git a/accountsd.fc b/accountsd.fc index 414e917..3cdf2dd 100644 --- a/accountsd.fc +++ b/accountsd.fc @@ -1,7 +1,7 @@ -/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) +/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) ifdef(`distro_debian',` /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) ') -/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) +/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/accountsd.if b/accountsd.if index c0f858d..0bb2658 100644 --- a/accountsd.if +++ b/accountsd.if @@ -1,13 +1,14 @@ -## AccountsService and daemon for manipulating user account information via D-Bus +## AccountsService and daemon for manipulating user account information via D-Bus. ######################################## ## -## Execute a domain transition to run accountsd. +## Execute a domain transition to +## run accountsd. ## ## -## -## Domain allowed access. -## +## +## Domain allowed to transition. +## ## # interface(`accountsd_domtrans',` @@ -15,17 +16,18 @@ interface(`accountsd_domtrans',` type accountsd_t, accountsd_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, accountsd_exec_t, accountsd_t) ') ######################################## ## -## Do not audit attempts to read and write Accounts Daemon -## fifo file. +## Do not audit attempts to read and +## write Accounts Daemon fifo files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -118,8 +120,8 @@ interface(`accountsd_manage_lib_files',` ######################################## ## -## All of the rules required to administrate -## an accountsd environment +## All of the rules required to +## administrate an accountsd environment. ## ## ## @@ -138,7 +140,7 @@ interface(`accountsd_admin',` type accountsd_t; ') - allow $1 accountsd_t:process { ptrace signal_perms getattr }; + allow $1 accountsd_t:process { ptrace signal_perms }; ps_process_pattern($1, accountsd_t) accountsd_manage_lib_files($1) diff --git a/accountsd.te b/accountsd.te index 4d67b7b..4cb2191 100644 --- a/accountsd.te +++ b/accountsd.te @@ -1,4 +1,4 @@ -policy_module(accountsd, 1.0.1) +policy_module(accountsd, 1.0.2) ######################################## # @@ -14,27 +14,33 @@ files_type(accountsd_var_lib_t) ######################################## # -# accountsd local policy +# Local policy # -allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; +allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace }; +allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir }) +files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir) kernel_read_kernel_sysctls(accountsd_t) +kernel_read_system_state(accountsd_t) corecmd_exec_bin(accountsd_t) -files_read_usr_files(accountsd_t) +dev_read_sysfs(accountsd_t) + files_read_mnt_files(accountsd_t) +files_read_usr_files(accountsd_t) +fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) fs_read_noxattr_fs_files(accountsd_t) auth_use_nsswitch(accountsd_t) +auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) miscfiles_read_localization(accountsd_t) @@ -49,6 +55,7 @@ usermanage_domtrans_useradd(accountsd_t) usermanage_domtrans_passwd(accountsd_t) optional_policy(` + consolekit_dbus_chat(accountsd_t) consolekit_read_log(accountsd_t) ')