#DESC fcron - additions to cron policy for a more powerful cron program

#

# Domain for fcron, a more powerful cron program.

#

# Needs cron.te installed.

#

# Author: Russell Coker <russell@coker.com.au>

# Use capabilities.

allow crond_t self:capability { dac_override dac_read_search };

# differences between r_dir_perms and rw_dir_perms

allow crond_t cron_spool_t:dir { add_name remove_name write };

ifdef(`mta.te', `

# not sure why we need write access, but Postfix does not work without it

# I will have to change fcron to avoid the need for this

allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };

')

ifdef(`distro_debian', `

can_exec(dpkg_t, crontab_exec_t)

file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)

')

rw_dir_create_file(crond_t, cron_spool_t)

can_setfscreate(crond_t)

# for /var/run/fcron.fifo

file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)