# Description: Can use Online Accounts. This policy group is reserved for
#  vetted applications only in this version of the policy. Once LP: #1230091
#  is fixed, this can be moved out of reserved status.
# Usage: reserved
/usr/share/accounts/** r,

dbus (receive, send)
     bus=session
     path=/com/google/code/AccountsSSO/SingleSignOn
     interface=com.google.code.AccountsSSO.SingleSignOn.AuthService,
dbus (receive, send)
     bus=session
     interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession,
dbus (receive, send)
     bus=session
     interface=com.google.code.AccountsSSO.SingleSignOn.Identity,

# p2p support uses a named unix socket
owner /{,var/}run/user/*/signond/socket w,

# read access to accounts.db is ok
owner @{HOME}/.config/libaccounts-glib/accounts.db* rk,
# FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
#        ro. This can go away once an access() LSM hook is implemented. For
#        now, just silence the denial.
deny @{HOME}/.config/libaccounts-glib/accounts.db* w,
