# Copyright (C) 2005 Tresys Technology, LLC

policy_module(authlogin,1.0)

########################################
#
# Declarations
#
type chkpwd_exec_t;
authlogin_per_userdomain_template(system)
domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)

type faillog_t;
logging_make_log_file(faillog_t)

type lastlog_t;
logging_make_log_file(lastlog_t)

type login_exec_t;
files_make_file(login_exec_t)

type pam_t;
domain_make_domain(pam_t)

type pam_tmp_t;
files_make_file(pam_tmp_t)

type pam_var_console_t;
files_make_file(pam_var_console_t)

type pam_var_run_t;
files_make_file(pam_var_run_t)

type shadow_t;
files_make_file(shadow_t)
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file write;

type utempter_t;
domain_make_domain(utempter_t)

type utempter_exec_t;
domain_make_entrypoint_file(utempter_t,utempter_exec_t)

type wtmp_t;
logging_make_log_file(wtmp_t)

########################################
#
# Local policy
#
#dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
#dontaudit system_chkpwd_t privfd:fd use;