From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 3 Jan 2014 20:10:56 +0100
Subject: [refpolicy] [PATCH 1/1] fcron uses a fifo for communication
Message-ID: <20140103191055.GA18224@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


At start-up with current policy, the following error is shown in the
logs:

test fcron[6722]: fcron[6722] 3.1.2 started
test fcron[6722]: Cannot bind socket to '/var/run/fcron.fifo': Permission denied

Adding in a named file transition on a sock_file (+ manage rights on
that sock_file) resolves this

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cron.te b/cron.te
index 7de3859..459e125 100644
--- a/cron.te
+++ b/cron.te
@@ -347,6 +347,10 @@ tunable_policy(`allow_polyinstantiation',`
 
 tunable_policy(`fcron_crond',`
 	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+
+	files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
+
+	manage_sock_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
 ')
 
 optional_policy(`
-- 
1.8.3.2