From mboxrd@z Thu Jan  1 00:00:00 1970
From: jason@perfinion.com (Jason Zaman)
Date: Mon,  1 Feb 2016 17:17:29 +0800
Subject: [refpolicy] [PATCH] cron: Allow locks to be lnk_files
Message-ID: <1454318249-21927-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The run-crons script now uses symlinks to pids as the locks instead of
just a plain file.

avc:  denied  { create } for pid=5844 comm="ln" name="cron.hourly"
scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=0
type=PATH msg=audit(1454175001.341:80669): item=2
name="/var/lock/cron.hourly" nametype=CREATE
---
 cron.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cron.te b/cron.te
index b481d5d..b50d468 100644
--- a/cron.te
+++ b/cron.te
@@ -440,7 +440,8 @@ files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
 
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
+files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
 
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-- 
2.4.10