I had the same problems due to tpm2-tss-fapi.conf's a+ directives which tmpfiles.sh doesn't handle. I made the following patch to add that functionality:
@ @ -149,6 +149,18 @ @ createpipe() {
dryrun_or_real chmod $mode "$path"
}
+_a() {
+ # Set/Add POSIX ACLs (access control lists)
+ local path=$1 mode=$2 uid=$3 gid=$4 age=$5 arg=$6 add=$7
+ if [ -e "$path" ]; then
+ if [ "$add" = 1 ]; then
+ setfacl --modify=$arg $path
+ else
+ setfacl --set=$arg $path
+ fi
+ fi
+}
+
_b() {
# Create a block device node if it doesn't exist yet
local path=$1 mode=$2 uid=$3 gid=$4 age=$5 arg=$6
@ @ -527,7 +539,7 @ @ for FILE in $tmpfiles_d ; do
# whine about invalid entries
case $cmd in
- f|F|w|d|D|v|p|L|c|C|b|x|X|r|R|z|Z|q|Q|h|H) ;;
+ f|F|w|d|D|v|p|L|c|C|b|x|X|r|R|z|Z|q|Q|h|H|a) ;;
*) warninvalid ; continue ;;
esac
@ @ -551,7 +563,8 @ @ for FILE in $tmpfiles_d ; do
if [ $FORCE -gt 0 ]; then
case $cmd in
- p|L|c|b) [ -f "$path" ] && dryrun_or_real rm -f "$path"
+ p|L|c|b) [ -f "$path" ] && dryrun_or_real rm -f "$path" ;;
+ a) set -- "$@ " "$FORCE" ;;
esac
fi
I haven't found this functionality in the other tmpfiles.sh implementations on the net, so I'm not sure whether we would deviate from them? Either way, feel free to integrate/modify if you think it's useful...