Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ff3ce3f301b1def0997e2a67cce6ac7b4c7e41af..b7da77426a044538afa03aa214149e5a92bd4382 100644 (file)
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -263,6 +263,7 @@ ifdef(`distro_redhat',`
        userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
        userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
        userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
+       userdom_delete_admin_home_files(systemd_tmpfiles_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 290f54e4b548c4d36d09ef67e6162d0a8897dd1b..b7ed01cfa15da4724e77c09176306ca4fbafe39e 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4170,6 +4170,25 @@ interface(`userdom_read_admin_home_files',`
        read_files_pattern($1, admin_home_t, admin_home_t)
 ')
 
+########################################
+## <summary>
+##     Delete admin home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_delete_admin_home_files',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       allow $1 admin_home_t:file delete_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Execute admin home files.