# Copyright (C) 2005 Tresys Technology, LLC policy_module(authlogin,1.0) ######################################## # # Declarations # type chkpwd_exec_t; domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t) type faillog_t; logging_make_log_file(faillog_t) type lastlog_t; logging_make_log_file(lastlog_t) type login_exec_t; files_make_file(login_exec_t) type pam_t; domain_make_domain(pam_t) type pam_tmp_t; files_make_file(pam_tmp_t) type pam_var_console_t; files_make_file(pam_var_console_t) type pam_var_run_t; files_make_file(pam_var_run_t) type shadow_t; files_make_file(shadow_t) attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file write; type utempter_t; domain_make_domain(utempter_t) type utempter_exec_t; domain_make_entrypoint_file(utempter_t,utempter_exec_t) type wtmp_t; logging_make_log_file(wtmp_t) ######################################## # # Local policy # authlogin_per_userdomain_template(system) #dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; #dontaudit system_chkpwd_t privfd:fd use;