avc: denied { watch } for pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <jason@xxxxxxxxxxxxx>
---
policy/modules/services/cron.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 46b64016..dbbd9dbf 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
files_pid_filetrans(crond_t, crond_runtime_t, file)
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+allow crond_t cron_spool_t:dir watch;
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+allow crond_t system_cron_spool_t:dir watch;
+allow crond_t system_cron_spool_t:file watch;
rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:dir watch;
manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
--
2.24.1
