From e1bc4830d6aeb53c283d7b6045a2af2a5aa52200 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Fri, 23 Feb 2024 16:06:03 -0500
Subject: [PATCH] cron: Use raw entrypoint rule for system_cronjob_t.

By using domain_entry_file() to provide the entrypoint permission, it makes
the spool file an executable, with unexpected access.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/cron.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 605bd7aba..a6fbd30e1 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -91,7 +91,6 @@ files_type(system_cron_spool_t)
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -459,6 +458,7 @@ allow system_cronjob_t cron_runtime_t:file manage_file_perms;
 files_runtime_filetrans(system_cronjob_t, cron_runtime_t, file)
 
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
 
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;