#include <tunables/global>

/usr/lib/security-misc/pam_tally2-info flags=(attach_disconnected) {
  #include <abstractions/bash>

  capability dac_override,
  capability dac_read_search,

  /bin/bash ix,
  /bin/cat mrix,
  /bin/grep mrix,
  /usr/bin/cut mrix,
  /usr/bin/tail mrix,
  /sbin/pam_tally2 mrix,
  /usr/lib/security-misc/pam_tally2-info r,

  /etc/ld.so.cache r,
  /etc/locale.alias r,

  /{usr/,}lib{,32,64}/** mr,

  owner /etc/nsswitch.conf r,
  owner /etc/pam.d/* r,
  owner /etc/passwd r,

  owner /usr/share/zoneinfo/** r,
  owner /var/log/tallylog rw,

  /dev/tty rw,
  owner /dev/pts/[0-9]* rw,
  
  #include <local/usr.lib.security-misc.pam_tally2-info>
}