(block tmp_container
	(optional tmp_container_optional
		(allow process tmpfile (dir (getattr search open)))
		(allow process tmpfile (file (ioctl read getattr lock open)))
	)
)

(block tmp_rw_container
	(blockinherit tmp_container)

	(optional tmp_rw_container_optional
		(allow process tmpfile (file (ioctl read write getattr lock append open)))
		(allow process tmpfile (dir (ioctl read write getattr lock append open)))
	)
)