type unprotected_t, passwd_t;

domain unprotected_d = (/sbin/init),

        (cdrwx->unprotected_t),

        (exec->passwd_d);



domain passwd_d = (/usr/bin/passwd),

        (crw->passwd_t);



initial_domain = unprotected_d;

assign -r unprotected_t /;
assign passwd_t /etc/passwd;
assign passwd_t /etc/shadow;