policy_module(tmpfiles, 1.0.0)

########################################
#
# Declarations
#

## <desc>
##      <p>
##      Determine whether tmpfiles can manage
##      all non-security sensitive resources.
##	Without this, it is only allowed rights towards
##	/run, /tmp, /dev and /var/lock.
##      </p>
## </desc>
# Enabled by default on Gentoo to fix https://bugs.gentoo.org/667122
gen_tunable(tmpfiles_manage_all_non_security, true)

type tmpfiles_t;
type tmpfiles_exec_t;
init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)

type tmpfiles_conf_t;
files_config_file(tmpfiles_conf_t)

type tmpfiles_var_run_t;
files_pid_file(tmpfiles_var_run_t)


########################################
#
# Local policy
#

allow tmpfiles_t self:capability { mknod chown fowner fsetid };
allow tmpfiles_t self:process { getsched setfscreate };
allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
allow tmpfiles_t self:unix_dgram_socket create_socket_perms;

allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;

list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)

manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)

corecmd_exec_bin(tmpfiles_t)
corecmd_exec_shell(tmpfiles_t)

dev_create_all_blk_files(tmpfiles_t)
dev_create_all_chr_files(tmpfiles_t)
dev_getattr_all_blk_files(tmpfiles_t)
dev_getattr_generic_blk_files(tmpfiles_t)
dev_getattr_generic_chr_files(tmpfiles_t)
dev_relabel_all_dev_nodes(tmpfiles_t)
dev_relabel_generic_dev_dirs(tmpfiles_t)
dev_relabelfrom_generic_chr_files(tmpfiles_t)
dev_setattr_all_blk_files(tmpfiles_t)
dev_setattr_all_chr_files(tmpfiles_t)
dev_setattr_generic_dirs(tmpfiles_t)

files_manage_all_pids(tmpfiles_t)
files_manage_generic_locks(tmpfiles_t)
files_manage_generic_tmp_dirs(tmpfiles_t)
files_manage_generic_tmp_files(tmpfiles_t)
files_manage_var_dirs(tmpfiles_t)
files_manage_var_files(tmpfiles_t)
files_relabel_all_lock_dirs(tmpfiles_t)
files_relabel_all_pidfiles(tmpfiles_t)
files_relabel_all_tmp_dirs(tmpfiles_t)
files_relabel_all_tmp_files(tmpfiles_t)
files_setattr_all_tmp_dirs(tmpfiles_t)
files_setattr_lock_dirs(tmpfiles_t)
files_setattr_pid_dirs(tmpfiles_t)

fs_getattr_all_fs(tmpfiles_t)
fs_getattr_tmpfs_dirs(tmpfiles_t)
fs_manage_cgroup_files(tmpfiles_t)

selinux_get_enforce_mode(tmpfiles_t)

auth_use_nsswitch(tmpfiles_t)

init_exec_rc(tmpfiles_t)

miscfiles_read_localization(tmpfiles_t)

seutil_exec_setfiles(tmpfiles_t)
seutil_libselinux_linked(tmpfiles_t)
seutil_read_file_contexts(tmpfiles_t)

ifdef(`distro_gentoo',`
	dev_create_generic_dirs(tmpfiles_t)
	# Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs
	dev_rw_generic_chr_files(tmpfiles_t)
	dev_create_generic_chr_files(tmpfiles_t)
	dev_create_generic_blk_files(tmpfiles_t)

	init_relabelto_script_state(tmpfiles_t)
')

tunable_policy(`tmpfiles_manage_all_non_security',`
	files_manage_all_non_security_file_types(tmpfiles_t)
	files_manage_non_security_dirs(tmpfiles_t)
	files_relabel_all_non_security_file_types(tmpfiles_t)
')