From 575f9494e7e5da29fa25a7d7cbaa0737505619d8 Mon Sep 17 00:00:00 2001
From: Jason Zaman <jason@perfinion.com>
Date: Mon, 17 Feb 2020 04:03:13 +0800
Subject: [PATCH] cron: watch cron spool

avc:  denied  { watch } for  pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/cron.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 46b64016a..dbbd9dbf8 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
 files_pid_filetrans(crond_t, crond_runtime_t, file)
 
 manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+allow crond_t cron_spool_t:dir watch;
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
 
 list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+allow crond_t system_cron_spool_t:dir watch;
+allow crond_t system_cron_spool_t:file watch;
 
 rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:dir watch;
 
 manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)