# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2006 Volker Kuhlmann
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/4.0>,

include <tunables/global>

/usr/bin/passwd {
  include <abstractions/authentication>
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>
  include <abstractions/wutmp>

  capability chown,
  capability sys_resource,
  capability setuid,
  capability fsetid,

  /etc/.pwd.lock wk,
  /etc/pwdutils/logging r,
  /etc/nshadow rw,
  /etc/shadow rwl,
  /etc/shadow.old rwl,
  /etc/shadow.tmp?????? rwl,
  /etc/shadow.[0-9]* rwl,
  /etc/shadow.lock rwl,
  /etc/shadow- rw,
  /etc/shadow+ rw,

  @{PROC}/@{pid}/loginuid r,

  /usr/bin/passwd mr,
  /usr/lib/pwdutils/lib*.so* mr,
  /usr/lib64/pwdutils/lib*.so* mr,
  /usr/share/cracklib/pw_dict.hwm r,
  /usr/share/cracklib/pw_dict.pwd r,
  /usr/share/cracklib/pw_dict.pwi r,
  /etc/passwdqc.conf r,
  /opt/passwdqc/*.pwq r,
  /usr/sbin/nscd Px,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.bin.passwd>
}