Comment 5 for bug 1220552

Hi Jamie, so, there are two pieces that the accounts policy group should allow:
1) Access the signond dbus interfaces and socket (correctly done by the policy you pasted in comment #3)
2) Allow access to the accounts DB, as in https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement#Ubuntu_Online_Accounts

The accounts DB is a sqlite file containing the list of the accounts, what services are enabled/disabled, and maybe some settings. It does not contain passwords or authentication tokens. It might contain usernames, but we agreed that we have to live with that, because usernames are going to be shown in the UIs in order to differentiate the accounts.