diff --git a/accountsd.fc b/accountsd.fc
index 414e917..3cdf2dd 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,7 +1,7 @@
-/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
ifdef(`distro_debian',`
/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
')
-/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
+/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/accountsd.if b/accountsd.if
index c0f858d..0bb2658 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -1,13 +1,14 @@
-## AccountsService and daemon for manipulating user account information via D-Bus
+## AccountsService and daemon for manipulating user account information via D-Bus.
########################################
##
-## Execute a domain transition to run accountsd.
+## Execute a domain transition to
+## run accountsd.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed to transition.
+##
##
#
interface(`accountsd_domtrans',`
@@ -15,17 +16,18 @@ interface(`accountsd_domtrans',`
type accountsd_t, accountsd_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, accountsd_exec_t, accountsd_t)
')
########################################
##
-## Do not audit attempts to read and write Accounts Daemon
-## fifo file.
+## Do not audit attempts to read and
+## write Accounts Daemon fifo files.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -118,8 +120,8 @@ interface(`accountsd_manage_lib_files',`
########################################
##
-## All of the rules required to administrate
-## an accountsd environment
+## All of the rules required to
+## administrate an accountsd environment.
##
##
##
@@ -138,7 +140,7 @@ interface(`accountsd_admin',`
type accountsd_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms getattr };
+ allow $1 accountsd_t:process { ptrace signal_perms };
ps_process_pattern($1, accountsd_t)
accountsd_manage_lib_files($1)
diff --git a/accountsd.te b/accountsd.te
index 4d67b7b..4cb2191 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.0.1)
+policy_module(accountsd, 1.0.2)
########################################
#
@@ -14,27 +14,33 @@ files_type(accountsd_var_lib_t)
########################################
#
-# accountsd local policy
+# Local policy
#
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
kernel_read_kernel_sysctls(accountsd_t)
+kernel_read_system_state(accountsd_t)
corecmd_exec_bin(accountsd_t)
-files_read_usr_files(accountsd_t)
+dev_read_sysfs(accountsd_t)
+
files_read_mnt_files(accountsd_t)
+files_read_usr_files(accountsd_t)
+fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
fs_read_noxattr_fs_files(accountsd_t)
auth_use_nsswitch(accountsd_t)
+auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
miscfiles_read_localization(accountsd_t)
@@ -49,6 +55,7 @@ usermanage_domtrans_useradd(accountsd_t)
usermanage_domtrans_passwd(accountsd_t)
optional_policy(`
+ consolekit_dbus_chat(accountsd_t)
consolekit_read_log(accountsd_t)
')