From af2fcbd6ae382ee26d24e7608a7e080bc5ab1ae1 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@windriver.com>
Date: Fri, 11 Feb 2011 15:03:10 +0800
Subject: [PATCH] Make crond able to polyinstantiate all.

As one of entrypoint application, crond_t should have had the
files_polyinstantiate_all() interface called so that pam_namespace.so
could work well in crond_t. Otherwise the crond_t lacks the sys_admin
permission to make use of pam_namespace.so

BTW, the allow_polyinstantiation boolean need to be toggled true
accordingly.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 policy/modules/services/cron.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 8637c86af..381467095 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -241,6 +241,10 @@ ifdef(`distro_redhat', `
 	')
 ')
 
+tunable_policy(`allow_polyinstantiation',`
+	files_polyinstantiate_all(crond_t)
+')
+
 tunable_policy(`fcron_crond', `
 	allow crond_t system_cron_spool_t:file manage_file_perms;
 ')