From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 21 Sep 2011 21:23:32 +0200
Subject: [refpolicy] [PATCH 1/1] Cronjobs might create temporary directories
Message-ID: <20110921192331.GA10041@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Cronjobs, like makewhatis, want to create temporary directories
(and not only just temporary files).

We allow a filetrans in tmp_t for directories as well, and allow
system_cronjob_t to manage files and directories of
system_cronjob_tmp_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.te |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cron.te b/cron.te
index f22d27c..07e2697 100644
--- a/cron.te
+++ b/cron.te
@@ -334,11 +334,13 @@ allow system_cronjob_t crond_t:process sigchld;
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
 
-# write temporary files
+# write temporary files/directories
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
+manage_dirs_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
 
 # Read from /var/spool/cron.
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-- 
1.7.3.4