+ <varlistentry>
+ <term><varname>Z</varname></term>
+ <listitem><para>Recursively
+ set the access mode, group and
+ user, and restore the SELinux
+ security context of a file or
+ directory if it exists, as
+ well as of its subdirectories
+ and the files contained
+ therein (if applicable). Lines
+ of this type accept
+ shell-style globs in place of
+ normal path
+ names.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>If the exclamation mark is used, this
+ line is only safe of execute during boot, and
+ can break a running system. Lines without the
+ exclamation mark are presumed to be safe to
+ execute at any time, e.g. on package upgrades.
+ <command>systemd-tmpfiles</command> will
+ execute line with an exclamation mark only if
+ option <option>--boot</option> is given.
+ </para>
+
+ <para>For example:
+ <programlisting># Make sure these are created by default so that nobody else can
+d /tmp/.X11-unix 1777 root root 10d
+
+# Unlink the X11 lock files
+r! /tmp/.X[0-9]*-lock</programlisting>
+ The second line in contrast to the first one
+ would break a running system, and will only be
+ executed with <option>--boot</option>.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>Path</title>
+
+ <para>The file system path specification supports simple specifier
+ expansion. The following expansions are
+ understood:</para>
+
+ <table>
+ <title>Specifiers available</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname="spec" />
+ <colspec colname="mean" />
+ <colspec colname="detail" />
+ <thead>
+ <row>
+ <entry>Specifier</entry>
+ <entry>Meaning</entry>
+ <entry>Details</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><literal>%m</literal></entry>
+ <entry>Machine ID</entry>
+ <entry>The machine ID of the running system, formatted as string. See <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information.</entry>
+ </row>
+ <row>
+ <entry><literal>%b</literal></entry>
+ <entry>Boot ID</entry>
+ <entry>The boot ID of the running system, formatted as string. See <citerefentry><refentrytitle>random</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information.</entry>
+ </row>
+ <row>
+ <entry><literal>%H</literal></entry>
+ <entry>Host name</entry>
+ <entry>The hostname of the running system.</entry>
+ </row>
+ <row>
+ <entry><literal>%v</literal></entry>
+ <entry>Kernel release</entry>
+ <entry>Identical to <command>uname -r</command> output.</entry>
+ </row>
+ <row>
+ <entry><literal>%%</literal></entry>
+ <entry>Escaped %</entry>
+ <entry>Single percent sign.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </refsect2>
+
+ <refsect2>
+ <title>Mode</title>
+
+ <para>The file access mode to use when
+ creating this file or directory. If omitted or
+ when set to -, the default is used: 0755 for
+ directories, 0644 for all other file objects.
+ For <varname>z</varname>, <varname>Z</varname>
+ lines, if omitted or when set to
+ <literal>-</literal>, the file access mode
+ will not be modified. This parameter is
+ ignored for <varname>x</varname>,
+ <varname>r</varname>, <varname>R</varname>,
+ <varname>L</varname> lines.</para>
+
+ <para>Optionally, if prefixed with
+ <literal>~</literal> the access mode is masked
+ based on the already set access bits for
+ existing file or directories: if the existing
+ file has all executable bits unset then all
+ executable bits are removed from the new
+ access mode, too. Similar, if all read bits
+ are removed from the old access mode they will
+ be removed from the new access mode too, and
+ if all write bits are removed, they will be
+ removed from the new access mode too. In
+ addition the sticky/suid/gid bit is removed unless
+ applied to a directory. This
+ functionality is particularly useful in
+ conjunction with <varname>Z</varname>.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>UID, GID</title>
+
+ <para>The user and group to use for this file
+ or directory. This may either be a numeric
+ user/group ID or a user or group name. If
+ omitted or when set to <literal>-</literal>,
+ the default 0 (root) is used. For
+ <varname>z</varname>, <varname>Z</varname>
+ lines, when omitted or when set to -, the file
+ ownership will not be modified. These
+ parameters are ignored for
+ <varname>x</varname>, <varname>r</varname>,
+ <varname>R</varname>, <varname>L</varname>
+ lines.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>Age</title>
+ <para>The date field, when set, is used to
+ decide what files to delete when cleaning. If
+ a file or directory is older than the current
+ time minus the age field, it is deleted. The
+ field format is a series of integers each
+ followed by one of the following
+ postfixes for the respective time units:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><varname>s</varname></term>
+ <term><varname>min</varname></term>
+ <term><varname>h</varname></term>