Description: Add systemd support
Author: Russell Coker <russell@coker.com.au>
Origin: Fedora
Last-Update: 2012-06-27

Index: refpolicy-2.20110726/policy/modules/services/cron.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cron.if	2012-06-30 01:02:47.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/services/cron.if	2012-06-30 01:03:41.222030887 +1000
@@ -10,11 +10,17 @@
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access
+##      </summary>
+## </param>
 #
 template(`cron_common_crontab_template',`
 	gen_require(`
-		type crond_t, crond_var_run_t, crontab_exec_t;
-		type cron_spool_t, user_cron_spool_t;
+		type crond_t, crontab_exec_t;
+		type cron_spool_t, crond_tmp_t;
+		attribute cron_spool_type;
 	')
 
 	##############################
@@ -22,12 +28,17 @@
 	# Declarations
 	#
 
-	type $1_t;
-	application_domain($1_t, crontab_exec_t)
-	ubac_constrained($1_t)
+	type $1_crontab_t;
+	application_domain($1_crontab_t, crontab_exec_t)
+	ubac_constrained($1_crontab_t)
+
+	role $2 types $1_crontab_t;
+
+	type $1_crontab_tmp_t;
+	files_tmp_file($1_crontab_tmp_t)
 
-	type $1_tmp_t;
-	files_tmp_file($1_tmp_t)
+	type $1_cron_spool_t, cron_spool_type;
+	files_type($1_cron_spool_t)
 
 	##############################
 	#
@@ -35,168 +46,112 @@
 	#
 
 	# dac_override is to create the file in the directory under /tmp
-	allow $1_t self:capability { fowner setuid setgid chown dac_override };
-	allow $1_t self:process { setsched signal_perms };
-	allow $1_t self:fifo_file rw_fifo_file_perms;
-
-	allow $1_t $1_tmp_t:file manage_file_perms;
-	allow $1_t $1_tmp_t:dir manage_dir_perms;
-	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+	allow $1_crontab_t self:process { setsched signal_perms };
+	allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
+
+	allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
+	allow $1_crontab_t $1_crontab_tmp_t:dir manage_dir_perms;
+	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { file dir })
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($1_t, crontab_exec_t, $1_crontab_t)
+	allow $1_t $1_crontab_t:fd use;
+	manage_files_pattern($1_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+
+	# crontab shows up in user ps
+	ps_process_pattern($1_t, $1_crontab_t)
+	allow $1_t $1_crontab_t:process signal_perms;
+
+	# Run helper programs as the user domain
+	corecmd_bin_domtrans($1_crontab_t, $1_t)
+	corecmd_shell_domtrans($1_crontab_t, $1_t)
 
 	# create files in /var/spool/cron
-	manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-	filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
-	files_list_spool($1_t)
+	manage_files_pattern($1_crontab_t, { cron_spool_t $1_cron_spool_t }, $1_cron_spool_t)
+	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
+	files_list_spool($1_crontab_t)
 
 	# crontab signals crond by updating the mtime on the spooldir
-	allow $1_t cron_spool_t:dir setattr_dir_perms;
+	allow $1_crontab_t cron_spool_t:dir setattr_dir_perms;
 
-	kernel_read_system_state($1_t)
+	kernel_read_system_state($1_crontab_t)
 
 	# for the checks used by crontab -u
-	selinux_dontaudit_search_fs($1_t)
+	selinux_dontaudit_search_fs($1_crontab_t)
 
-	fs_getattr_xattr_fs($1_t)
-	fs_manage_cgroup_dirs($1_t)
-	fs_manage_cgroup_files($1_t)
+	fs_getattr_xattr_fs($1_crontab_t)
+	fs_manage_cgroup_dirs($1_crontab_t)
+	fs_manage_cgroup_files($1_crontab_t)
 
-	domain_use_interactive_fds($1_t)
+	domain_use_interactive_fds($1_crontab_t)
 
-	files_read_etc_files($1_t)
-	files_read_usr_files($1_t)
-	files_dontaudit_search_pids($1_t)
+	files_read_etc_files($1_crontab_t)
+	files_read_usr_files($1_crontab_t)
+	files_dontaudit_search_pids($1_crontab_t)
 
-	auth_domtrans_chk_passwd($1_t)
-	auth_rw_var_auth($1_t)
-	auth_use_nsswitch($1_t)
+	auth_domtrans_chk_passwd($1_crontab_t)
+	auth_rw_var_auth($1_crontab_t)
+	auth_use_nsswitch($1_crontab_t)
 
-	logging_send_syslog_msg($1_t)
-	logging_send_audit_msgs($1_t)
-	logging_set_loginuid($1_t)
+	logging_send_syslog_msg($1_crontab_t)
+	logging_send_audit_msgs($1_crontab_t)
+	logging_set_loginuid($1_crontab_t)
 
-	init_dontaudit_write_utmp($1_t)
-	init_read_utmp($1_t)
-	init_read_state($1_t)
+	init_dontaudit_write_utmp($1_crontab_t)
+	init_read_utmp($1_crontab_t)
+	init_read_state($1_crontab_t)
 
-	miscfiles_read_localization($1_t)
+	miscfiles_read_localization($1_crontab_t)
 
-	seutil_read_config($1_t)
+	seutil_read_config($1_crontab_t)
 
-	userdom_manage_user_tmp_dirs($1_t)
-	userdom_manage_user_tmp_files($1_t)
 	# Access terminals.
-	userdom_use_inherited_user_terminals($1_t)
+	userdom_use_inherited_user_terminals($1_crontab_t)
 	# Read user crontabs
-	userdom_read_user_home_content_files($1_t)
-	userdom_read_user_home_content_symlinks($1_t)
-
-	tunable_policy(`fcron_crond',`
-		# fcron wants an instant update of a crontab change for the administrator
-		# also crontab does a security check for crontab -u
-		dontaudit $1_t crond_t:process signal;
-	')
-
-')
-
-########################################
-## <summary>
-##	Role access for cron
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`cron_role',`
-	gen_require(`
-		type cronjob_t, crontab_t, crontab_exec_t;
-		type user_cron_spool_t, crond_t;
-	')
-
-	role $1 types { cronjob_t crontab_t };
+	userdom_read_user_home_content_files($1_crontab_t)
+	userdom_read_user_home_content_symlinks($1_crontab_t)
 
-	# cronjob shows up in user ps
-	ps_process_pattern($2, cronjob_t)
-
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-	allow crond_t $2:process transition;
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+	allow crond_t $1_t:process transition;
+	domain_cron_exemption_target($1_t)
+	dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh };
+	allow $1_t crond_t:process sigchld;
+	allow $1_t crond_tmp_t:file rw_file_perms;
+	dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh };
+	allow $1_t crond_t:fd use;
+	allow $1_t crond_t:fifo_file rw_file_perms;
 
 	# needs to be authorized SELinux context for cron
-	allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
-
-	# crontab shows up in user ps
-	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal_perms;
-
-	tunable_policy(`deny_ptrace',`',`
-		allow $2 crontab_t:process ptrace;
-	')
-
-	# Run helper programs as the user domain
-	#corecmd_bin_domtrans(crontab_t, $2)
-	#corecmd_shell_domtrans(crontab_t, $2)
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
-
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
-
-		dbus_stub(cronjob_t)
-		allow cronjob_t $2:dbus send_msg;
-	')
+	allow $1_t $1_cron_spool_t:file entrypoint;
+	allow crond_t $1_t:process transition;
 ')
 
 ########################################
 ## <summary>
-##	Role access for unconfined cronjobs
+##	Grant administrative access to crontab for the unconfined domain
 ## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role
+##	User domain for the crontab program
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-interface(`cron_unconfined_role',`
+interface(`cron_unconfined_crontab',`
 	gen_require(`
-		type unconfined_cronjob_t;
-	')
-
-	role $1 types unconfined_cronjob_t;
-
-	# cronjob shows up in user ps
-	ps_process_pattern($2, unconfined_cronjob_t)
-	allow $2 unconfined_cronjob_t:process signal_perms;
-	tunable_policy(`deny_ptrace',`',`
-		allow $2 unconfined_cronjob_t:process ptrace;
+		attribute cron_spool_type;
 	')
 
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
+	# Allow our crontab domain to unlink a user cron spool file.
+	allow $1 cron_spool_type:file { getattr read unlink };
 
-		dbus_stub(unconfined_cronjob_t)
-		allow unconfined_cronjob_t $2:dbus send_msg;
-	')
+	# Manipulate other users crontab.
+	selinux_get_fs_mount($1)
+	selinux_validate_context($1)
+	selinux_compute_access_vector($1)
+	selinux_compute_create_context($1)
+	selinux_compute_relabel_context($1)
+	selinux_compute_user_contexts($1)
 ')
 
 ########################################
Index: refpolicy-2.20110726/policy/modules/services/cron.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cron.fc	2012-06-30 01:02:47.529115659 +1000
+++ refpolicy-2.20110726/policy/modules/services/cron.fc	2012-06-30 01:03:41.222030887 +1000
@@ -7,19 +7,15 @@
 
 /usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
 /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/sbin/fcronsighup           --      gen_context(system_u:object_r:crontab_exec_t,s0)
 
 /usr/sbin/anacron		--	gen_context(system_u:object_r:anacron_exec_t,s0)
 /usr/sbin/atd			--	gen_context(system_u:object_r:crond_exec_t,s0)
 /usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
 
 /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/crond\.reboot		--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 
 ifdef(`distro_debian', `
 /var/spool/cron/atspool        -d      gen_context(system_u:object_r:cron_spool_t,s0)
@@ -48,10 +44,4 @@
 /var/spool/cron/crontabs/.*	--	<<none>>
 #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 
-/var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.*			<<none>>
-/var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-
 /var/log/prelink.log		--	gen_context(system_u:object_r:cron_log_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cron.te	2012-06-30 01:02:47.529115659 +1000
+++ refpolicy-2.20110726/policy/modules/services/cron.te	2012-06-30 01:03:41.222030887 +1000
@@ -17,14 +17,6 @@
 ## </desc>
 gen_tunable(cron_can_relabel, false)
 
-## <desc>
-## <p>
-## Enable extra rules in the cron domain
-## to support fcron.
-## </p>
-## </desc>
-gen_tunable(fcron_crond, false)
-
 attribute cron_spool_type;
 
 type anacron_exec_t;
@@ -44,14 +36,6 @@
 type cron_log_t;
 logging_log_file(cron_log_t)
 
-type cronjob_t;
-typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
-typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
-domain_type(cronjob_t)
-domain_cron_exemption_target(cronjob_t)
-corecmd_shell_entry_type(cronjob_t)
-ubac_constrained(cronjob_t)
-
 type crond_t;
 type crond_exec_t;
 init_daemon_domain(crond_t, crond_exec_t)
@@ -73,16 +57,6 @@
 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
 
-cron_common_crontab_template(admin_crontab)
-typealias admin_crontab_t alias sysadm_crontab_t;
-typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
-
-cron_common_crontab_template(crontab)
-typealias crontab_t alias { user_crontab_t staff_crontab_t };
-typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
-typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
-typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
-
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
 
@@ -101,39 +75,6 @@
 	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
 ')
 
-type unconfined_cronjob_t;
-domain_type(unconfined_cronjob_t)
-domain_cron_exemption_target(unconfined_cronjob_t)
-
-# Type of user crontabs once moved to cron spool.
-type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
-typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
-ubac_constrained(user_cron_spool_t)
-
-########################################
-#
-# Admin crontab local policy
-#
-
-# Allow our crontab domain to unlink a user cron spool file.
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
-
-# Manipulate other users crontab.
-selinux_get_fs_mount(admin_crontab_t)
-selinux_validate_context(admin_crontab_t)
-selinux_compute_access_vector(admin_crontab_t)
-selinux_compute_create_context(admin_crontab_t)
-selinux_compute_relabel_context(admin_crontab_t)
-selinux_compute_user_contexts(admin_crontab_t)
-
-tunable_policy(`fcron_crond', `
-	# fcron wants an instant update of a crontab change for the administrator
-	# also crontab does a security check for crontab -u
-	allow admin_crontab_t self:process setfscreate;
-')
-
 ########################################
 #
 # Cron daemon local policy
@@ -250,10 +191,6 @@
 	files_polyinstantiate_all(crond_t)
 ')
 
-tunable_policy(`fcron_crond', `
-	allow crond_t system_cron_spool_t:file manage_file_perms;
-')
-
 optional_policy(`
 	locallogin_search_keys(crond_t)
 	locallogin_link_keys(crond_t)
@@ -523,125 +460,6 @@
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
-########################################
-#
-# User cronjobs local policy
-#
-
-allow cronjob_t self:process { signal_perms setsched };
-allow cronjob_t self:fifo_file rw_fifo_file_perms;
-allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-allow cronjob_t self:unix_dgram_socket create_socket_perms;
-
-allow cronjob_t crond_tmp_t:file rw_file_perms;
-
-# The entrypoint interface is not used as this is not
-# a regular entrypoint.  Since crontab files are
-# not directly executed, crond must ensure that
-# the crontab file has a type that is appropriate
-# for the domain of the user cron job.  It
-# performs an entrypoint permission check
-# for this purpose.
-allow cronjob_t user_cron_spool_t:file entrypoint;
-
-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond 
-# via setexeccon.  There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-allow crond_t cronjob_t:process transition;
-dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
-allow crond_t cronjob_t:fd use;
-allow cronjob_t crond_t:fd use;
-allow cronjob_t crond_t:fifo_file rw_file_perms;
-allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, cron_spool_type, cron_spool_type)
+read_files_pattern(crond_t, cron_spool_type, cron_spool_type)
 
-kernel_read_system_state(cronjob_t)
-kernel_read_kernel_sysctls(cronjob_t)
-
-# ps does not need to access /boot when run from cron
-files_dontaudit_search_boot(cronjob_t)
-
-corenet_all_recvfrom_unlabeled(cronjob_t)
-corenet_all_recvfrom_netlabel(cronjob_t)
-corenet_tcp_sendrecv_generic_if(cronjob_t)
-corenet_udp_sendrecv_generic_if(cronjob_t)
-corenet_tcp_sendrecv_generic_node(cronjob_t)
-corenet_udp_sendrecv_generic_node(cronjob_t)
-corenet_tcp_sendrecv_all_ports(cronjob_t)
-corenet_udp_sendrecv_all_ports(cronjob_t)
-corenet_tcp_connect_all_ports(cronjob_t)
-corenet_sendrecv_all_client_packets(cronjob_t)
-
-dev_read_urand(cronjob_t)
-
-fs_getattr_all_fs(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
-
-# quiet other ps operations
-domain_dontaudit_read_all_domains_state(cronjob_t)
-domain_dontaudit_getattr_all_domains(cronjob_t)
-
-files_read_usr_files(cronjob_t)
-files_exec_etc_files(cronjob_t)
-# for nscd:
-files_dontaudit_search_pids(cronjob_t)
-
-libs_exec_lib_files(cronjob_t)
-libs_exec_ld_so(cronjob_t)
-
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_search_spool(cronjob_t)
-
-logging_search_logs(cronjob_t)
-
-seutil_read_config(cronjob_t)
-
-miscfiles_read_localization(cronjob_t)
-
-userdom_manage_user_tmp_files(cronjob_t)
-userdom_manage_user_tmp_symlinks(cronjob_t)
-userdom_manage_user_tmp_pipes(cronjob_t)
-userdom_manage_user_tmp_sockets(cronjob_t)
-# Run scripts in user home directory and access shared libs.
-userdom_exec_user_home_content_files(cronjob_t)
-# Access user files and dirs.
-userdom_manage_user_home_content_files(cronjob_t)
-userdom_manage_user_home_content_symlinks(cronjob_t)
-userdom_manage_user_home_content_pipes(cronjob_t)
-userdom_manage_user_home_content_sockets(cronjob_t)
-#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
-
-list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-tunable_policy(`fcron_crond', `
-	allow crond_t user_cron_spool_t:file manage_file_perms;
-')
-
-# need a per-role version of this:
-#optional_policy(`
-#	mono_domtrans(cronjob_t)
-#')
-
-optional_policy(`
-	nis_use_ypbind(cronjob_t)
-')
-
-########################################
-#
-# Unconfined cronjobs local policy
-#
-
-optional_policy(`
-	# Permit a transition from the crond_t domain to this domain.
-	# The transition is requested explicitly by the modified crond 
-	# via setexeccon.  There is no way to set up an automatic
-	# transition, since crontabs are configuration files, not executables.
-	allow crond_t unconfined_cronjob_t:process transition;
-	dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
-	allow crond_t unconfined_cronjob_t:fd use;
-
-	unconfined_domain(unconfined_cronjob_t)
-')
Index: refpolicy-2.20110726/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.te	2012-06-30 01:02:47.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/system/unconfined.te	2012-06-30 01:03:41.222030887 +1000
@@ -83,7 +83,8 @@
 ')
 
 optional_policy(`
-	cron_unconfined_role(unconfined_r, unconfined_t)
+	cron_common_crontab_template(unconfined, unconfined_r)
+	cron_unconfined_crontab(unconfined_crontab_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20110726/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/roles/staff.te	2012-06-30 01:02:47.529115659 +1000
+++ refpolicy-2.20110726/policy/modules/roles/staff.te	2012-06-30 01:03:41.222030887 +1000
@@ -19,6 +19,10 @@
 ')
 
 optional_policy(`
+	cron_common_crontab_template(staff, staff_r)
+')
+
+optional_policy(`
 	auditadm_role_change(staff_r)
 ')
 
@@ -72,10 +76,6 @@
 	')
 
 	optional_policy(`
-		cron_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
 	')
 
Index: refpolicy-2.20110726/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/roles/unprivuser.te	2012-06-30 01:02:47.529115659 +1000
+++ refpolicy-2.20110726/policy/modules/roles/unprivuser.te	2012-06-30 01:03:41.222030887 +1000
@@ -17,6 +17,10 @@
 ')
 
 optional_policy(`
+	cron_common_crontab_template(user, user_r)
+')
+
+optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
 
@@ -45,10 +49,6 @@
 	')
 
 	optional_policy(`
-		cron_role(user_r, user_t)
-	')
-
-	optional_policy(`
 		dbus_role_template(user, user_r, user_t)
 	')
 
Index: refpolicy-2.20110726/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/roles/sysadm.te	2012-06-30 01:02:47.000000000 +1000
+++ refpolicy-2.20110726/policy/modules/roles/sysadm.te	2012-06-30 01:03:41.226030952 +1000
@@ -73,6 +73,10 @@
 ')
 
 optional_policy(`
+	cron_common_crontab_template(sysadm, sysadm_r)
+')
+
+optional_policy(`
 	# cjp: why is this not apm_run_client
 	apm_domtrans_client(sysadm_t)
 ')
Index: refpolicy-2.20110726/config/appconfig-mcs/root_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mcs/root_default_contexts	2012-06-30 01:03:38.465983767 +1000
+++ refpolicy-2.20110726/config/appconfig-mcs/root_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
Index: refpolicy-2.20110726/config/appconfig-mcs/default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mcs/default_contexts	2012-06-30 01:03:38.469983874 +1000
+++ refpolicy-2.20110726/config/appconfig-mcs/default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
Index: refpolicy-2.20110726/config/appconfig-mcs/unconfined_u_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mcs/unconfined_u_default_contexts	2012-06-30 01:03:38.469983874 +1000
+++ refpolicy-2.20110726/config/appconfig-mcs/unconfined_u_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
Index: refpolicy-2.20110726/config/appconfig-mcs/staff_u_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mcs/staff_u_default_contexts	2012-06-30 01:03:38.469983874 +1000
+++ refpolicy-2.20110726/config/appconfig-mcs/staff_u_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
Index: refpolicy-2.20110726/config/appconfig-mcs/user_u_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mcs/user_u_default_contexts	2012-06-30 01:03:38.469983874 +1000
+++ refpolicy-2.20110726/config/appconfig-mcs/user_u_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
Index: refpolicy-2.20110726/config/appconfig-mls/root_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mls/root_default_contexts	2012-06-30 01:03:38.469983874 +1000
+++ refpolicy-2.20110726/config/appconfig-mls/root_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
Index: refpolicy-2.20110726/config/appconfig-mls/default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mls/default_contexts	2012-06-30 01:03:38.469983874 +1000
+++ refpolicy-2.20110726/config/appconfig-mls/default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
Index: refpolicy-2.20110726/config/appconfig-mls/unconfined_u_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mls/unconfined_u_default_contexts	2012-06-30 01:03:38.469983874 +1000
+++ refpolicy-2.20110726/config/appconfig-mls/unconfined_u_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
Index: refpolicy-2.20110726/config/appconfig-mls/staff_u_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mls/staff_u_default_contexts	2012-06-30 01:03:38.473984054 +1000
+++ refpolicy-2.20110726/config/appconfig-mls/staff_u_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
Index: refpolicy-2.20110726/config/appconfig-mls/user_u_default_contexts
===================================================================
--- refpolicy-2.20110726.orig/config/appconfig-mls/user_u_default_contexts	2012-06-30 01:03:38.473984054 +1000
+++ refpolicy-2.20110726/config/appconfig-mls/user_u_default_contexts	2012-06-30 01:03:41.226030952 +1000
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
