From: Miroslav Grepl <mgrepl@redhat.com>
Date: Wed, 16 Nov 2011 15:52:17 +0000 (+0100)
Subject: Backport fixes from RHEL6 to make cronjobs working in MLS
X-Git-Tag: 000~108^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=558fe7df412e86f450840f05b1274e213eaf20ab;p=people%2Fstevee%2Fselinux-policy.git

Backport fixes from RHEL6 to make cronjobs working in MLS
---

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0d1af63e..b8f0df4a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -141,6 +141,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_admin_role(sysadm_r, sysadm_t)
+	cron_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index a2e960c6..230cbb29 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -226,6 +226,17 @@ files_search_default(crond_t)
 fs_manage_cgroup_dirs(crond_t)
 fs_manage_cgroup_files(crond_t)
 
+# needed by "crontab -e"
+mls_file_read_all_levels(crond_t)
+mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
+mls_process_set_level(crond_t)
+
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
+
 init_read_state(crond_t)
 init_rw_utmp(crond_t)
 init_spec_domtrans_script(crond_t)