[selinux-policy: 2795/3172] Accountsd cleanup.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:08:45 UTC 2010 

commit 8da88970be3fd067a0b757488e56531f967c2350
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Aug 3 09:50:40 2010 -0400

    Accountsd cleanup.

 policy/modules/services/accountsd.if |   55 +++++++++++++++++----------------
 policy/modules/services/accountsd.te |    4 +-
 2 files changed, 30 insertions(+), 29 deletions(-)
---
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index 292dadd..c0f858d 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -20,7 +20,8 @@ interface(`accountsd_domtrans',`
 
 ########################################
 ## <summary>
-##	Search accountsd lib directories.
+##	Do not audit attempts to read and write Accounts Daemon
+##	fifo file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -28,18 +29,18 @@ interface(`accountsd_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`accountsd_search_lib',`
+interface(`accountsd_dontaudit_rw_fifo_file',`
 	gen_require(`
-		type accountsd_var_lib_t;
+		type accountsd_t;
 	')
 
-	allow $1 accountsd_var_lib_t:dir search_dir_perms;
-	files_search_var_lib($1)
+	dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read accountsd lib files.
+##	Send and receive messages from
+##	accountsd over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -47,19 +48,19 @@ interface(`accountsd_search_lib',`
 ##	</summary>
 ## </param>
 #
-interface(`accountsd_read_lib_files',`
+interface(`accountsd_dbus_chat',`
 	gen_require(`
-		type accountsd_var_lib_t;
+		type accountsd_t;
+		class dbus send_msg;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+	allow $1 accountsd_t:dbus send_msg;
+	allow accountsd_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	accountsd lib files.
+##	Search accountsd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,19 +68,18 @@ interface(`accountsd_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`accountsd_manage_lib_files',`
+interface(`accountsd_search_lib',`
 	gen_require(`
 		type accountsd_var_lib_t;
 	')
 
+	allow $1 accountsd_var_lib_t:dir search_dir_perms;
 	files_search_var_lib($1)
-	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Send and receive messages from
-##	accountsd over dbus.
+##	Read accountsd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -87,20 +87,19 @@ interface(`accountsd_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`accountsd_dbus_chat',`
+interface(`accountsd_read_lib_files',`
 	gen_require(`
-		type accountsd_t;
-		class dbus send_msg;
+		type accountsd_var_lib_t;
 	')
 
-	allow $1 accountsd_t:dbus send_msg;
-	allow accountsd_t $1:dbus send_msg;
+	files_search_var_lib($1)
+	read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and write Accounts Daemon
-##	fifo file.
+##	Create, read, write, and delete
+##	accountsd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -108,12 +107,13 @@ interface(`accountsd_dbus_chat',`
 ##	</summary>
 ## </param>
 #
-interface(`accountsd_dontaudit_rw_fifo_file',`
+interface(`accountsd_manage_lib_files',`
 	gen_require(`
-		type accountsd_t;
+		type accountsd_var_lib_t;
 	')
 
-	dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms;
+	files_search_var_lib($1)
+	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
 ')
 
 ########################################
@@ -137,8 +137,9 @@ interface(`accountsd_admin',`
 	gen_require(`
 		type accountsd_t;
 	')
+
 	allow $1 accountsd_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, accountsd_t, accountsd_t)
+	ps_process_pattern($1, accountsd_t)
 
 	accountsd_manage_lib_files($1)
 ')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index eced3f6..1632f10 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -16,13 +16,13 @@ files_type(accountsd_var_lib_t)
 #
 # accountsd local policy
 #
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
 
+allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
 allow accountsd_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
 manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } )
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
 
 kernel_read_kernel_sysctls(accountsd_t)

More information about the scm-commits mailing list