summaryrefslogtreecommitdiffstats
path: root/tmpfiles.d
diff options
context:
space:
mode:
Diffstat (limited to 'tmpfiles.d')
-rw-r--r--tmpfiles.d/README8
-rw-r--r--tmpfiles.d/credstore.conf13
-rw-r--r--tmpfiles.d/etc.conf.in21
-rw-r--r--tmpfiles.d/home.conf11
-rw-r--r--tmpfiles.d/journal-nocow.conf27
-rw-r--r--tmpfiles.d/legacy.conf.in30
-rw-r--r--tmpfiles.d/meson.build58
-rw-r--r--tmpfiles.d/portables.conf4
-rw-r--r--tmpfiles.d/provision.conf22
-rw-r--r--tmpfiles.d/static-nodes-permissions.conf.in20
-rw-r--r--tmpfiles.d/systemd-network.conf13
-rw-r--r--tmpfiles.d/systemd-nologin.conf10
-rw-r--r--tmpfiles.d/systemd-nspawn.conf23
-rw-r--r--tmpfiles.d/systemd-pstore.conf34
-rw-r--r--tmpfiles.d/systemd-resolve.conf10
-rw-r--r--tmpfiles.d/systemd-tmp.conf23
-rw-r--r--tmpfiles.d/systemd.conf.in76
-rw-r--r--tmpfiles.d/tmp.conf12
-rw-r--r--tmpfiles.d/var.conf.in25
-rw-r--r--tmpfiles.d/x11.conf18
20 files changed, 458 insertions, 0 deletions
diff --git a/tmpfiles.d/README b/tmpfiles.d/README
new file mode 100644
index 0000000..b42cec2
--- /dev/null
+++ b/tmpfiles.d/README
@@ -0,0 +1,8 @@
+Files in this directory contain configuration for systemd-tmpfiles, a program
+to create, delete, and clean up volatile and temporary files and directories.
+
+See man:tmpfiles.d(5) for explanation of the configuration file format, and
+man:systemd-tmpfiles(8) for a description of when and how this configuration is
+applied.
+
+Use 'systemd-analyze cat-config tmpfiles.d' to display the effective config.
diff --git a/tmpfiles.d/credstore.conf b/tmpfiles.d/credstore.conf
new file mode 100644
index 0000000..de250f7
--- /dev/null
+++ b/tmpfiles.d/credstore.conf
@@ -0,0 +1,13 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+d /etc/credstore 0700 root root
+d /etc/credstore.encrypted 0700 root root
+z /run/credstore 0700 root root
+z /run/credstore.encrypted 0700 root root
diff --git a/tmpfiles.d/etc.conf.in b/tmpfiles.d/etc.conf.in
new file mode 100644
index 0000000..e54d3b1
--- /dev/null
+++ b/tmpfiles.d/etc.conf.in
@@ -0,0 +1,21 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+L /etc/os-release - - - - ../usr/lib/os-release
+L+ /etc/mtab - - - - ../proc/self/mounts
+{% if HAVE_SMACK_RUN_LABEL %}
+t /etc/mtab - - - - security.SMACK64=_
+{% endif %}
+C! /etc/locale.conf - - - -
+C! /etc/nsswitch.conf - - - -
+C! /etc/vconsole.conf - - - -
+{% if HAVE_PAM %}
+C! /etc/pam.d - - - -
+{% endif %}
+C! /etc/issue - - - -
diff --git a/tmpfiles.d/home.conf b/tmpfiles.d/home.conf
new file mode 100644
index 0000000..9f25b83
--- /dev/null
+++ b/tmpfiles.d/home.conf
@@ -0,0 +1,11 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+Q /home 0755 - - -
+q /srv 0755 - - -
diff --git a/tmpfiles.d/journal-nocow.conf b/tmpfiles.d/journal-nocow.conf
new file mode 100644
index 0000000..e32a388
--- /dev/null
+++ b/tmpfiles.d/journal-nocow.conf
@@ -0,0 +1,27 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+# Set the NOCOW attribute for directories of journal files. This flag
+# is inherited by their new files and sub-directories. Matters only
+# for btrfs filesystems.
+#
+# WARNING: Enabling the NOCOW attribute improves journal performance
+# substantially, but also disables the btrfs checksum logic. In
+# btrfs RAID filesystems the checksums are needed for rebuilding
+# corrupted files. Without checksums such rebuilds are not
+# possible.
+#
+# In a single-disk filesystem (or a filesystem without redundancy)
+# enabling the NOCOW attribute for journal files is safe, because
+# they have their own checksums and a rebuilding wouldn't be possible
+# in any case.
+
+h /var/log/journal - - - - +C
+h /var/log/journal/%m - - - - +C
+h /var/log/journal/remote - - - - +C
diff --git a/tmpfiles.d/legacy.conf.in b/tmpfiles.d/legacy.conf.in
new file mode 100644
index 0000000..4f2c0d7
--- /dev/null
+++ b/tmpfiles.d/legacy.conf.in
@@ -0,0 +1,30 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+# These files are considered legacy and are unnecessary on legacy-free
+# systems.
+
+d /run/lock 0755 root root -
+L /var/lock - - - - ../run/lock
+{% if CREATE_LOG_DIRS %}
+L /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
+{% endif %}
+
+# /run/lock/subsys is used for serializing SysV service execution, and
+# hence without use on SysV-less systems.
+
+d /run/lock/subsys 0755 root root -
+
+# /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
+# kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
+# 'quotacheck.mode=force'
+
+r! /forcefsck
+r! /fastboot
+r! /forcequotacheck
diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
new file mode 100644
index 0000000..4c11ad6
--- /dev/null
+++ b/tmpfiles.d/meson.build
@@ -0,0 +1,58 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+enable_tmpfiles = conf.get('ENABLE_TMPFILES') == 1
+
+files = [['README', ''],
+ ['home.conf', ''],
+ ['journal-nocow.conf', ''],
+ ['portables.conf', 'ENABLE_PORTABLED'],
+ ['systemd-network.conf', 'ENABLE_NETWORKD'],
+ ['systemd-nologin.conf', 'HAVE_PAM'],
+ ['systemd-nspawn.conf', 'ENABLE_MACHINED'],
+ ['systemd-pstore.conf', 'ENABLE_PSTORE'],
+ ['systemd-resolve.conf', 'ENABLE_RESOLVE'],
+ ['systemd-tmp.conf', ''],
+ ['tmp.conf', ''],
+ ['x11.conf', ''],
+ ['provision.conf', ''],
+ ['credstore.conf', ''],
+ ]
+
+foreach pair : files
+ if not enable_tmpfiles
+ # do nothing
+ elif pair[1] == '' or conf.get(pair[1]) == 1
+ install_data(pair[0], install_dir : tmpfilesdir)
+ else
+ message('Not installing tmpfiles.d/@0@ because @1@ is @2@'
+ .format(pair[0], pair[1], conf.get(pair[1], 0)))
+ endif
+endforeach
+
+in_files = [['etc.conf', ''],
+ ['legacy.conf', 'HAVE_SYSV_COMPAT'],
+ ['static-nodes-permissions.conf', ''],
+ ['systemd.conf', ''],
+ ['var.conf', ''],
+ ]
+
+foreach pair : in_files
+ if not enable_tmpfiles
+ # do nothing
+ elif pair[1] == '' or conf.get(pair[1]) == 1
+ custom_target(
+ pair[0],
+ input : pair[0] + '.in',
+ output: pair[0],
+ command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
+ install : enable_tmpfiles,
+ install_dir : tmpfilesdir)
+ else
+ message('Not installing tmpfiles.d/@0@ because @1@ is @2@'
+ .format(pair[0], pair[1], conf.get(pair[1], 0)))
+ endif
+endforeach
+
+if enable_tmpfiles and install_sysconfdir
+ install_emptydir(sysconfdir / 'tmpfiles.d')
+endif
diff --git a/tmpfiles.d/portables.conf b/tmpfiles.d/portables.conf
new file mode 100644
index 0000000..3fd0c7d
--- /dev/null
+++ b/tmpfiles.d/portables.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# See tmpfiles.d(5) for details
+
+Q /var/lib/portables 0700
diff --git a/tmpfiles.d/provision.conf b/tmpfiles.d/provision.conf
new file mode 100644
index 0000000..093104a
--- /dev/null
+++ b/tmpfiles.d/provision.conf
@@ -0,0 +1,22 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+# Provision additional login messages from credentials, if they are set. Note
+# that these lines are NOPs if the credentials are not set or if the files
+# already exist.
+f^ /etc/motd.d/50-provision.conf - - - - login.motd
+f^ /etc/issue.d/50-provision.conf - - - - login.issue
+
+# Provision a /etc/hosts file from credentials.
+f^ /etc/hosts - - - - network.hosts
+
+# Provision SSH key for root
+d- /root :0700 root :root -
+d- /root/.ssh :0700 root :root -
+f^ /root/.ssh/authorized_keys :0600 root :root - ssh.authorized_keys.root
diff --git a/tmpfiles.d/static-nodes-permissions.conf.in b/tmpfiles.d/static-nodes-permissions.conf.in
new file mode 100644
index 0000000..df1fe2e
--- /dev/null
+++ b/tmpfiles.d/static-nodes-permissions.conf.in
@@ -0,0 +1,20 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# This file adds permissions on top of static-nodes.conf generated by
+# kmod-static-nodes.service. Rules specified here should match the
+# permissions specified for udev in 50-udev-default.rules.
+
+z /dev/snd/seq 0660 - audio -
+z /dev/snd/timer 0660 - audio -
+z /dev/loop-control 0660 - disk -
+z /dev/net/tun 0666 - - -
+z /dev/fuse 0666 - - -
+z /dev/vfio/vfio 0666 - - -
+z /dev/kvm {{DEV_KVM_MODE}} - kvm -
+z /dev/vhost-net {{DEV_KVM_MODE}} - kvm -
+z /dev/vhost-vsock {{DEV_KVM_MODE}} - kvm -
diff --git a/tmpfiles.d/systemd-network.conf b/tmpfiles.d/systemd-network.conf
new file mode 100644
index 0000000..b30bc91
--- /dev/null
+++ b/tmpfiles.d/systemd-network.conf
@@ -0,0 +1,13 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+d /run/systemd/netif 0755 systemd-network systemd-network -
+d /run/systemd/netif/links 0755 systemd-network systemd-network -
+d /run/systemd/netif/leases 0755 systemd-network systemd-network -
+d /run/systemd/netif/lldp 0755 systemd-network systemd-network -
diff --git a/tmpfiles.d/systemd-nologin.conf b/tmpfiles.d/systemd-nologin.conf
new file mode 100644
index 0000000..e1efc73
--- /dev/null
+++ b/tmpfiles.d/systemd-nologin.conf
@@ -0,0 +1,10 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5), systemd-user-sessions.service(8) and pam_nologin(8).
+
+f+! /run/nologin 0644 - - - "System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)."
diff --git a/tmpfiles.d/systemd-nspawn.conf b/tmpfiles.d/systemd-nspawn.conf
new file mode 100644
index 0000000..78bd1c6
--- /dev/null
+++ b/tmpfiles.d/systemd-nspawn.conf
@@ -0,0 +1,23 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+Q /var/lib/machines 0700 - - -
+
+# Remove old temporary snapshots, but only at boot. Ideally we'd have
+# "self-destroying" btrfs snapshots that go away if the last
+# reference to it does. To mimic a scheme like this at least remove
+# the old snapshots on fresh boots, where we know they cannot be
+# referenced anymore. Note that we actually remove all temporary files
+# in /var/lib/machines/ at boot, which should be safe since the
+# directory has defined semantics. In the root directory (where
+# systemd-nspawn --ephemeral places snapshots) we are more strict, to
+# avoid removing unrelated temporary files.
+
+R! /var/lib/machines/.#*
+R! /.#machine.*
diff --git a/tmpfiles.d/systemd-pstore.conf b/tmpfiles.d/systemd-pstore.conf
new file mode 100644
index 0000000..9425169
--- /dev/null
+++ b/tmpfiles.d/systemd-pstore.conf
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# The systemd-pstore.service(1) archives the contents of /sys/fs/pstore
+# upon boot so that there is room for a subsequent dump. This service
+# is enabled with:
+# systemctl enable systemd-pstore
+#
+# With the service enabled, the kernel still needs to be configured
+# to write data into the pstore. The kernel has two parameters,
+# crash_kexec_post_notifiers and printk.always_kmsg_dump, that
+# control writes into pstore.
+#
+# The crash_kexec_post_notifiers parameter enables the kernel to write
+# dmesg (including stack trace) into pstore upon a panic even if kdump
+# is loaded, only needed if you want to use pstore with kdump. Without
+# this parameter, kdump could block writing to pstore for stability
+# reason. Note this increases the risk of kdump failure even if pstore
+# is not available.
+#
+# The printk.always_kmsg_dump parameter enables the kernel to write dmesg
+# upon a normal shutdown (shutdown, reboot, halt).
+#
+# To configure the kernel parameters, uncomment the appropriate
+# lines below. The value written is either 'Y' to enable the
+# kernel parameter, or 'N' to disable the kernel parameter.
+#
+# After making a change to this file, do:
+# systemd-tmpfiles --create path/to/tmpfiles.d/systemd-pstore.conf
+#
+# These changes are automatically applied on future re-boots.
+
+d /var/lib/systemd/pstore 0755 root root 14d
+#w- /sys/module/printk/parameters/always_kmsg_dump - - - - Y
+#w- /sys/module/kernel/parameters/crash_kexec_post_notifiers - - - - Y
diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf
new file mode 100644
index 0000000..cb1c56d
--- /dev/null
+++ b/tmpfiles.d/systemd-resolve.conf
@@ -0,0 +1,10 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
diff --git a/tmpfiles.d/systemd-tmp.conf b/tmpfiles.d/systemd-tmp.conf
new file mode 100644
index 0000000..d47d468
--- /dev/null
+++ b/tmpfiles.d/systemd-tmp.conf
@@ -0,0 +1,23 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+# Exclude namespace mountpoints created with PrivateTmp=yes
+x /tmp/systemd-private-%b-*
+X /tmp/systemd-private-%b-*/tmp
+x /var/tmp/systemd-private-%b-*
+X /var/tmp/systemd-private-%b-*/tmp
+
+# Remove top-level private temporary directories on each boot
+R! /tmp/systemd-private-*
+R! /var/tmp/systemd-private-*
+
+# Handle lost systemd-coredump temp files. They could be lost on old filesystems,
+# for example, after hard reboot.
+x /var/lib/systemd/coredump/.#core*.%b*
+r! /var/lib/systemd/coredump/.#*
diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in
new file mode 100644
index 0000000..11a45a3
--- /dev/null
+++ b/tmpfiles.d/systemd.conf.in
@@ -0,0 +1,76 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+d /run/user 0755 root root -
+{% if ENABLE_UTMP %}
+F! /run/utmp 0664 root utmp -
+{% endif %}
+
+d /run/systemd/ask-password 0755 root root -
+d /run/systemd/seats 0755 root root -
+d /run/systemd/sessions 0755 root root -
+d /run/systemd/users 0755 root root -
+d /run/systemd/machines 0755 root root -
+d /run/systemd/shutdown 0755 root root -
+
+d /run/log 0755 root root -
+
+z /run/log/journal 2755 root systemd-journal - -
+Z /run/log/journal/%m ~2750 root systemd-journal - -
+{% if HAVE_ACL %}
+{% if ENABLE_ADM_GROUP and ENABLE_WHEEL_GROUP %}
+a+ /run/log/journal - - - - d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x,group::r-x,group:adm:r-x,group:wheel:r-x
+a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x,group:adm:r-x,group:wheel:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--,group:wheel:r--
+{% elif ENABLE_ADM_GROUP %}
+a+ /run/log/journal - - - - d:group::r-x,d:group:adm:r-x,group::r-x,group:adm:r-x
+a+ /run/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--
+{% elif ENABLE_WHEEL_GROUP %}
+a+ /run/log/journal - - - - d:group::r-x,d:group:wheel:r-x,group::r-x,group:wheel:r-x
+a+ /run/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:wheel:r--
+{% endif %}
+{% endif %}
+
+z /var/log/journal 2755 root systemd-journal - -
+z /var/log/journal/%m 2755 root systemd-journal - -
+z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
+{% if HAVE_ACL %}
+{% if ENABLE_ADM_GROUP and ENABLE_WHEEL_GROUP %}
+a+ /var/log/journal - - - - d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x,group::r-x,group:adm:r-x,group:wheel:r-x
+a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x,group:adm:r-x,group:wheel:r-x
+a+ /var/log/journal/%m/system.journal - - - - group:adm:r--,group:wheel:r--
+{% elif ENABLE_ADM_GROUP %}
+a+ /var/log/journal - - - - d:group::r-x,d:group:adm:r-x,group::r-x,group:adm:r-x
+a+ /var/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-x
+a+ /var/log/journal/%m/system.journal - - - - group:adm:r--
+{% elif ENABLE_WHEEL_GROUP %}
+a+ /var/log/journal - - - - d:group::r-x,d:group:wheel:r-x,group::r-x,group:wheel:r-x
+a+ /var/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-x
+a+ /var/log/journal/%m/system.journal - - - - group:wheel:r--
+{% endif %}
+{% endif %}
+
+d /var/lib/systemd 0755 root root -
+d /var/lib/systemd/coredump 0755 root root 2w
+# Files and directories in /var/lib/systemd/ephemeral-trees are locked by pid 1 to prevent tmpfiles from
+# removing them, and tmpfiles is told to clean up anything in /var/lib/systemd/ephemeral-trees that isn't
+# locked unconditionally.
+d /var/lib/systemd/ephemeral-trees 0755 root root 0
+
+d /var/lib/private 0700 root root -
+d /var/log/private 0700 root root -
+d /var/cache/private 0700 root root -
+
+{% if ENABLE_EFI %}
+# Copy sd-stub provided PCR signature and public key file from initrd into /run/, so that it will survive the initrd stage
+C /run/systemd/tpm2-pcr-signature.json 0444 root root - /.extra/tpm2-pcr-signature.json
+C /run/systemd/tpm2-pcr-public-key.pem 0444 root root - /.extra/tpm2-pcr-public-key.pem
+{% endif %}
diff --git a/tmpfiles.d/tmp.conf b/tmpfiles.d/tmp.conf
new file mode 100644
index 0000000..fe5225d
--- /dev/null
+++ b/tmpfiles.d/tmp.conf
@@ -0,0 +1,12 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+# Clear tmp directories separately, to make them easier to override
+q /tmp 1777 root root 10d
+q /var/tmp 1777 root root 30d
diff --git a/tmpfiles.d/var.conf.in b/tmpfiles.d/var.conf.in
new file mode 100644
index 0000000..557dd20
--- /dev/null
+++ b/tmpfiles.d/var.conf.in
@@ -0,0 +1,25 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+q /var 0755 - - -
+
+L /var/run - - - - ../run
+
+d /var/log 0755 - - -
+{% if ENABLE_UTMP %}
+f /var/log/wtmp 0664 root utmp -
+f /var/log/btmp 0660 root utmp -
+f /var/log/lastlog 0664 root utmp -
+{% endif %}
+
+d /var/cache 0755 - - -
+
+d /var/lib 0755 - - -
+
+d /var/spool 0755 - - -
diff --git a/tmpfiles.d/x11.conf b/tmpfiles.d/x11.conf
new file mode 100644
index 0000000..ef0b11d
--- /dev/null
+++ b/tmpfiles.d/x11.conf
@@ -0,0 +1,18 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+# Make sure these are created by default so that nobody else can
+# or empty them at startup
+D! /tmp/.X11-unix 1777 root root 10d
+D! /tmp/.ICE-unix 1777 root root 10d
+D! /tmp/.XIM-unix 1777 root root 10d
+D! /tmp/.font-unix 1777 root root 10d
+
+# Unlink the X11 lock files
+r! /tmp/.X[0-9]*-lock