From Debian package 0.2.20100524-2

  * Include tmpreaper in base policy as mountnfs-bootclean.sh and
    mountall-bootclean.sh need to run as tmpreaper_t.
  * Added a new mcsdeleteall attribute for tmpreaper_t so that it can
    delete files and directories regardless of mcs level.

I don't see why the tmpreaper part is necessary - initrc_t already has lots of
privileges; shouldn't we be adding mcsdeleteall to initrc_t?

Index: policy/modules/admin/tmpreaper.fc
===================================================================
--- policy/modules/admin/tmpreaper.fc.orig
+++ policy/modules/admin/tmpreaper.fc
@@ -1,2 +1,6 @@
 /usr/sbin/tmpreaper		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
 /usr/sbin/tmpwatch		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+ifdef(`distro_debian', `
+/etc/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/etc/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+')
Index: policy/modules/admin/tmpreaper.te
===================================================================
--- policy/modules/admin/tmpreaper.te.orig
+++ policy/modules/admin/tmpreaper.te
@@ -30,8 +30,7 @@
 files_getattr_all_dirs(tmpreaper_t)
 files_getattr_all_files(tmpreaper_t)
 
-mls_file_read_all_levels(tmpreaper_t)
-mls_file_write_all_levels(tmpreaper_t)
+mcs_file_delete_all(tmpreaper_t)
 
 logging_send_syslog_msg(tmpreaper_t)
 
@@ -39,6 +38,7 @@
 miscfiles_delete_man_pages(tmpreaper_t)
 
 cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
 
 ifdef(`distro_redhat',`
 	userdom_list_user_home_content(tmpreaper_t)
Index: policy/modules/kernel/mcs.if
===================================================================
--- policy/modules/kernel/mcs.if.orig
+++ policy/modules/kernel/mcs.if
@@ -45,6 +45,26 @@
 
 ########################################
 ## <summary>
+##	This domain is allowed to delete files and directories
+##	regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_delete_all',`
+	gen_require(`
+		attribute mcsdeleteall;
+	')
+
+	typeattribute $1 mcsdeleteall;
+')
+
+########################################
+## <summary>
 ##	This domain is allowed to sigkill and sigstop 
 ##	all domains regardless of their MCS category set.
 ## </summary>
Index: policy/modules/kernel/mcs.te
===================================================================
--- policy/modules/kernel/mcs.te.orig
+++ policy/modules/kernel/mcs.te
@@ -15,6 +15,9 @@
 attribute mcssetlow;
 # object may be accessed by any process at a higher level
 attribute mcstrustedobject;
-
+# process may write all files/dirs
 attribute mcswriteall;
+# process may read all files/dirs
 attribute mcsreadall;
+# process may delete all files and write dirs as appropriate
+attribute mcsdeleteall;
Index: policy/mcs
===================================================================
--- policy/mcs.orig
+++ policy/mcs
@@ -71,19 +71,29 @@
 mlsconstrain file { read ioctl lock execute execute_no_trans }
 	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
 
-mlsconstrain file { write setattr append unlink link rename }
+mlsconstrain file { write setattr append link rename }
 ifdef(`distro_debian', `
 	((( h1 dom h2 ) and (l1 domby l2)) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain ));
 ', `
 	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
 ')
 
+mlsconstrain file { unlink }
+ifdef(`distro_debian', `
+	((( h1 dom h2 ) and (l1 domby l2)) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or (t2 == mcstrustedobject) or ( t2 == domain ));
+', `
+	(( h1 dom h2 ) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or ( t2 == domain ));
+')
+
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t1 == mcsdeleteall ) or ( t2 == domain ));
 
-mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+mlsconstrain dir { setattr append link rename add_name }
 	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
 
+mlsconstrain dir { write unlink remove_name }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t1 == mcsdeleteall ) or ( t2 == domain ));
+
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }