########################################

#

# Declarations

#

type chkpwd_exec_t;

domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)

type faillog_t;

logging_make_log_file(faillog_t)

type lastlog_t;

logging_make_log_file(lastlog_t)

type login_exec_t;

files_make_file(login_exec_t)

type pam_t;

domain_make_domain(pam_t)

type pam_tmp_t;

files_make_file(pam_tmp_t)

type pam_var_console_t;

files_make_file(pam_var_console_t)

type pam_var_run_t;

files_make_file(pam_var_run_t)

type shadow_t;

files_make_file(shadow_t)

attribute can_read_shadow_passwords;

attribute can_write_shadow_passwords;

neverallow ~can_read_shadow_passwords shadow_t:file read;

neverallow ~can_write_shadow_passwords shadow_t:file write;

type utempter_t;

domain_make_domain(utempter_t)

type utempter_exec_t;

domain_make_entrypoint_file(utempter_t,utempter_exec_t)

type wtmp_t;

logging_make_log_file(wtmp_t)

########################################

#

# Local policy

#

authlogin_per_userdomain_template(system)

#dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;

#dontaudit system_chkpwd_t privfd:fd use;