Blob Blame History Raw
#DESC Tmpreaper - Monitor and maintain temporary files
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: tmpreaper
#

#################################
#
# Rules for the tmpreaper_t domain.
#
type tmpreaper_t, domain, privlog;
type tmpreaper_exec_t, file_type, sysadmfile, exec_type;

role system_r types tmpreaper_t;

system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
uses_shlib(tmpreaper_t)
# why does it need setattr?
allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
allow tmpreaper_t fs_t:filesystem getattr;

r_dir_file(tmpreaper_t, etc_t)
allow tmpreaper_t var_t:dir { getattr search };
r_dir_file(tmpreaper_t, var_lib_t)
allow tmpreaper_t device_t:dir { getattr search };
allow tmpreaper_t urandom_device_t:chr_file { getattr read };

read_locale(tmpreaper_t)