34 lines
1.1 KiB
Plaintext
34 lines
1.1 KiB
Plaintext
#DESC Tmpreaper - Monitor and maintain temporary files
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: tmpreaper
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the tmpreaper_t domain.
|
|
#
|
|
type tmpreaper_t, domain, privlog;
|
|
type tmpreaper_exec_t, file_type, sysadmfile, exec_type;
|
|
|
|
role system_r types tmpreaper_t;
|
|
|
|
system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
|
|
uses_shlib(tmpreaper_t)
|
|
# why does it need setattr?
|
|
allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
|
|
allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
|
|
allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
|
|
allow tmpreaper_t self:process { fork sigchld };
|
|
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
|
|
allow tmpreaper_t fs_t:filesystem getattr;
|
|
|
|
r_dir_file(tmpreaper_t, etc_t)
|
|
allow tmpreaper_t var_t:dir { getattr search };
|
|
r_dir_file(tmpreaper_t, var_lib_t)
|
|
allow tmpreaper_t device_t:dir { getattr search };
|
|
allow tmpreaper_t urandom_device_t:chr_file { getattr read };
|
|
|
|
read_locale(tmpreaper_t)
|
|
|