Accountsd cleanup.

2010-08-03 09:50:40 -04:00 · 2010-08-03 09:50:40 -04:00 · 8da88970be
parent d0eebed0b7
commit 8da88970be
2 changed files with 44 additions and 43 deletions
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@ -18,6 +18,46 @@ interface(`accountsd_domtrans',`
 	domtrans_pattern($1, accountsd_exec_t, accountsd_t)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to read and write Accounts Daemon
+##	fifo file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dontaudit_rw_fifo_file',`
+	gen_require(`
+		type accountsd_t;
+	')
+
+	dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	accountsd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dbus_chat',`
+	gen_require(`
+		type accountsd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 accountsd_t:dbus send_msg;
+	allow accountsd_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Search accountsd lib directories.
@ -76,46 +116,6 @@ interface(`accountsd_manage_lib_files',`
 	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
 ')

-########################################
-## <summary>
-##	Send and receive messages from
-##	accountsd over dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_dbus_chat',`
-	gen_require(`
-		type accountsd_t;
-		class dbus send_msg;
-	')
-
-	allow $1 accountsd_t:dbus send_msg;
-	allow accountsd_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read and write Accounts Daemon
-##	fifo file.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_dontaudit_rw_fifo_file',`
-	gen_require(`
-		type accountsd_t;
-	')
-
-	dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms;
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
@ -137,8 +137,9 @@ interface(`accountsd_admin',`
 	gen_require(`
 		type accountsd_t;
 	')
+
 	allow $1 accountsd_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, accountsd_t, accountsd_t)
+	ps_process_pattern($1, accountsd_t)

 	accountsd_manage_lib_files($1)
 ')
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@ -16,13 +16,13 @@ files_type(accountsd_var_lib_t)
 #
 # accountsd local policy
 #
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };

+allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
 allow accountsd_t self:fifo_file rw_fifo_file_perms;

 manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
 manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } )
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })

 kernel_read_kernel_sysctls(accountsd_t)