#DESC fcron - additions to cron policy for a more powerful cron program
#
# Domain for fcron, a more powerful cron program.
#
# Needs cron.te installed.
#
# Author: Russell Coker <russell@coker.com.au>

# Use capabilities.
allow crond_t self:capability { dac_override dac_read_search };

# differences between r_dir_perms and rw_dir_perms
allow crond_t cron_spool_t:dir { add_name remove_name write };

ifdef(`mta.te', `
# not sure why we need write access, but Postfix does not work without it
# I will have to change fcron to avoid the need for this
allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
')

ifdef(`distro_debian', `
can_exec(dpkg_t, crontab_exec_t)
file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
')

rw_dir_create_file(crond_t, cron_spool_t)
can_setfscreate(crond_t)

# for /var/run/fcron.fifo
file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)