#DESC Tmpreaper - Monitor and maintain temporary files

#

# Author:  Russell Coker <russell@coker.com.au>

# X-Debian-Packages: tmpreaper

#

#################################

#

# Rules for the tmpreaper_t domain.

#

type tmpreaper_t, domain, privlog;

type tmpreaper_exec_t, file_type, sysadmfile, exec_type;

role system_r types tmpreaper_t;

system_crond_entry(tmpreaper_exec_t, tmpreaper_t)

uses_shlib(tmpreaper_t)

# why does it need setattr?

allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };

allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };

allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };

allow tmpreaper_t self:process { fork sigchld };

allow tmpreaper_t self:capability { dac_override dac_read_search fowner };

allow tmpreaper_t fs_t:filesystem getattr;

r_dir_file(tmpreaper_t, etc_t)

allow tmpreaper_t var_t:dir { getattr search };

r_dir_file(tmpreaper_t, var_lib_t)

allow tmpreaper_t device_t:dir { getattr search };

allow tmpreaper_t urandom_device_t:chr_file { getattr read };

read_locale(tmpreaper_t)