# explicitly deny ld.so.preload
  audit deny /etc/ld.so.preload r,

/var/log/ r,
owner /var/log/** rw,

# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
  audit /dev/log                 w,
  /dev/random                    r,
  /dev/urandom                   r,
  /etc/locale/**                 r,
  /etc/locale.alias              r,
  /etc/localtime                 r,
  /etc/writable/localtime        r,
  /usr/share/locale-bundle/**    r,
  /usr/share/locale-langpack/**  r,
  /usr/share/locale/**           r,
  /usr/share/**/locale/**        r,
  /usr/share/zoneinfo/           r,
  /usr/share/zoneinfo/**         r,
  /usr/share/X11/locale/**       r,
  audit /{,var/}run/systemd/journal/dev-log w,
  # systemd native journal API (see sd_journal_print(4))
  audit /{,var/}run/systemd/journal/socket w,
  # Nested containers and anything using systemd-cat need this. 'r' shouldn't
  # be required but applications fail without it. journald doesn't leak
  # anything when reading so this is ok.
  audit /{,var/}run/systemd/journal/stdout rw,

# /dev/null is pretty harmless and frequently used
  /dev/null                      rw,
# as is /dev/zero
  /dev/zero                      rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
  /dev/full                      rw,

# dropping core-dumps
  /var/cores/**                  rw,
