cron, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/roles/staff.te

@@ -95,7 +95,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(staff_r, staff_t)
+		cron_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 
 	optional_policy(`

policy/modules/roles/sysadm.te

@@ -1222,7 +1222,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_admin_role(sysadm_r, sysadm_t)
+		cron_admin_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 	')
 
 	optional_policy(`

policy/modules/roles/unprivuser.te

@@ -59,7 +59,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(user_r, user_t)
+		cron_role(user, user_t, user_application_exec_domain, user_r)
 	')
 
 	optional_policy(`

policy/modules/services/cron.if

@@ -44,19 +44,30 @@ template(`cron_common_crontab_template',`
 ## <summary>
 ##	Role access for cron.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 ## <rolecap/>
 #
-interface(`cron_role',`
+template(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
 		type user_cron_spool_t, crond_t;
@@ -68,7 +79,7 @@ interface(`cron_role',`
 	# Declarations
 	#
 
-	role $1 types { cronjob_t crontab_t };
+	role $4 types { cronjob_t crontab_t };
 
 	##############################
 	#
@@ -77,7 +88,7 @@ interface(`cron_role',`
 
 	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
-	dontaudit crond_t $2:process { noatsecure rlimitinh siginh };
+	dontaudit crond_t $3:process { noatsecure rlimitinh siginh };
 	allow $2 crond_t:process sigchld;
 
 	allow $2 user_cron_spool_t:file rw_inherited_file_perms;
@@ -126,18 +137,29 @@ interface(`cron_role',`
 ## <summary>
 ##	Role access for unconfined cron.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`cron_unconfined_role',`
+template(`cron_unconfined_role',`
 	gen_require(`
 		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
 		type crond_t, user_cron_spool_t;
@@ -149,7 +171,7 @@ interface(`cron_unconfined_role',`
 	# Declarations
 	#
 
-	role $1 types { unconfined_cronjob_t crontab_t };
+	role $4 types { unconfined_cronjob_t crontab_t };
 
 	##############################
 	#
@@ -207,18 +229,29 @@ interface(`cron_unconfined_role',`
 ## <summary>
 ##	Role access for admin cron.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`cron_admin_role',`
+template(`cron_admin_role',`
 	gen_require(`
 		type cronjob_t, crontab_exec_t, admin_crontab_t;
 		class passwd crontab;
@@ -231,7 +264,7 @@ interface(`cron_admin_role',`
 	# Declarations
 	#
 
-	role $1 types { cronjob_t admin_crontab_t };
+	role $4 types { cronjob_t admin_crontab_t };
 
 	##############################
 	#

policy/modules/system/unconfined.te

@@ -84,7 +84,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_unconfined_role(unconfined_r, unconfined_t)
+	cron_unconfined_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')
 
 optional_policy(`