  include <abstractions/authentication>
  include <abstractions/wutmp>

  capability kill,
  capability chown,
  capability sys_chroot,
  capability dac_read_search,
  capability dac_override,

  /tmp/ssh-*/ w,
  /tmp/ssh-*/agent.[0-9]* w,

  # TODO: this should go into abstractions/wutmp
  /var/lib/wtmpdb/ r,
  /var/lib/wtmpdb/wtmp.db{,-journal} rwlk,
  #/TODO

  @{HOME}/.ssh/authorized_keys r,

  /etc/environment r,

  /etc/security/limits r,
  /etc/security/limits.d/ r,
  /etc/security/limits.d/* r,

  /run/systemd/userdb/ r,

  /run/nscd/db* r,
  /var/lib/nscd/{passwd,group} r,

  /etc/motd r,
  /{etc,run}/motd.d/ r,
  /{etc,run}/motd.d/** r,

  /proc/sys/kernel/random/boot_id r,

  /etc/machine-id r,

  /proc/@{pid}/uid_map r,
  /proc/@{pid}/loginuid rw,
  /proc/@{pid}/fd/ r,

  /dev/ptmx rw,