policy_module(accountsd, 1.5.0) gen_require(` class passwd all_passwd_perms; ') ######################################## # # Declarations # type accountsd_t; type accountsd_exec_t; dbus_system_domain(accountsd_t, accountsd_exec_t) type accountsd_var_lib_t; files_type(accountsd_var_lib_t) ######################################## # # Local policy # allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace }; allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; allow accountsd_t self:passwd { rootok passwd chfn chsh }; manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir) kernel_read_crypto_sysctls(accountsd_t) kernel_read_kernel_sysctls(accountsd_t) kernel_read_system_state(accountsd_t) corecmd_exec_bin(accountsd_t) dev_read_sysfs(accountsd_t) files_read_mnt_files(accountsd_t) files_read_usr_files(accountsd_t) files_watch_etc_dirs(accountsd_t) fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) fs_read_noxattr_fs_files(accountsd_t) auth_use_nsswitch(accountsd_t) auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) miscfiles_read_localization(accountsd_t) logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) logging_watch_generic_logs_dir(accountsd_t) userdom_read_user_tmp_files(accountsd_t) userdom_read_user_home_content_files(accountsd_t) usermanage_domtrans_useradd(accountsd_t) usermanage_domtrans_passwd(accountsd_t) optional_policy(` policykit_dbus_chat(accountsd_t) ') optional_policy(` xserver_read_xdm_tmp_files(accountsd_t) ')