diff --git a/SOURCES/cronie-1.5.2-context-role.patch b/SOURCES/cronie-1.5.2-context-role.patch
new file mode 100644
index 0000000..b30a4d4
--- /dev/null
+++ b/SOURCES/cronie-1.5.2-context-role.patch
@@ -0,0 +1,41 @@
+From 1f866530f5b3c49012c61b299f3c4e1dceff2a71 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 18 Oct 2018 14:25:58 +0200
+Subject: [PATCH] Use the role from the crond context for system job contexts.
+
+New SELinux policy added multiple roles for the system_u user on crond_t.
+The default context returned from get_default_context_with_level() is now
+unconfined_t instead of system_cronjob_t which is incorrect for system cron
+jobs.
+We use the role to limit the default context to system_cronjob_t.
+---
+ src/security.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/security.c b/src/security.c
+index d1bdc7f..5213cf3 100644
+--- a/src/security.c
++++ b/src/security.c
+@@ -505,6 +505,7 @@ get_security_context(const char *name, int crontab_fd,
+ retval = get_default_context_with_level(seuser, level, NULL, &scontext);
+ }
+ else {
++ const char *current_user, *current_role;
+ if (getcon(¤t_context_str) < 0) {
+ log_it(name, getpid(), "getcon FAILED", "", 0);
+ return (security_getenforce() > 0);
+@@ -517,8 +518,9 @@ get_security_context(const char *name, int crontab_fd,
+ return (security_getenforce() > 0);
+ }
+
+- const char *current_user = context_user_get(current_context);
+- retval = get_default_context_with_level(current_user, level, NULL, &scontext);
++ current_user = context_user_get(current_context);
++ current_role = context_role_get(current_context);
++ retval = get_default_context_with_rolelevel(current_user, current_role, level, NULL, &scontext);
+
+ freecon(current_context_str);
+ context_free(current_context);
+--
+2.14.5
+
diff --git a/SOURCES/cronie-1.5.2-restart-on-failure.patch b/SOURCES/cronie-1.5.2-restart-on-failure.patch
new file mode 100644
index 0000000..9c300a4
--- /dev/null
+++ b/SOURCES/cronie-1.5.2-restart-on-failure.patch
@@ -0,0 +1,13 @@
+diff -ru cronie-1.5.2/contrib/cronie.systemd cronie-1.5.2_patched/contrib/cronie.systemd
+--- cronie-1.5.2/contrib/cronie.systemd 2018-11-27 15:26:46.797288342 +0100
++++ cronie-1.5.2_patched/contrib/cronie.systemd 2018-11-27 15:26:19.479159225 +0100
+@@ -7,6 +7,8 @@
+ ExecStart=/usr/sbin/crond -n $CRONDARGS
+ ExecReload=/bin/kill -HUP $MAINPID
+ KillMode=process
++Restart=on-failure
++RestartSec=30s
+
+ [Install]
+ WantedBy=multi-user.target
+
diff --git a/SPECS/cronie.spec b/SPECS/cronie.spec
index bc35331..b7002cf 100644
--- a/SPECS/cronie.spec
+++ b/SPECS/cronie.spec
@@ -6,7 +6,7 @@
Summary: Cron daemon for executing programs at set times
Name: cronie
Version: 1.5.2
-Release: 2%{?dist}
+Release: 4%{?dist}
License: MIT and BSD and ISC and GPLv2+
Group: System Environment/Base
URL: https://github.com/cronie-crond/cronie
@@ -38,9 +38,12 @@ Requires(post): systemd
# Some parts of code could result in a memory leak.
Patch0: fix-memory-leaks.patch
-
# Some parts of code could result in undefined behavior.
Patch1: fix-unsafe-code.patch
+# Use correct selinux role
+Patch2: cronie-1.5.2-context-role.patch
+# Make systemd restart crond when it fails.
+Patch3: cronie-1.5.2-restart-on-failure.patch
%description
Cronie contains the standard UNIX daemon crond that runs specified programs at
@@ -85,6 +88,8 @@ extra features.
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
%configure \
@@ -213,6 +218,14 @@ exit 0
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/dailyjobs
%changelog
+* Wed Jun 12 2019 Marcel Plch <mplch@redhat.com> - 1.5.2-4
+- Make crond restart on failure
+- Resolves: rhbz#1715137
+
+* Mon May 20 2019 Marcel Plch <mplch@redhat.com> - 1.5.2-3
+- use role from the current context for system crontabs
+- Resolves: rhbz#1708557
+
* Fri Sep 07 2018 Marcel Plch <mplch@redhat.com> - 1.5.2-2
- Covscan issues review
- Fix potential memory leaks