From 39ffa538a206a67bdaa5afbd7af3457cdf7c23ee Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Fri, 23 Feb 2024 16:06:03 -0500
Subject: cron: Use raw entrypoint rule for system_cronjob_t.

By using domain_entry_file() to provide the entrypoint permission, it makes
the spool file an executable, with unexpected access.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/cron.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 9df1e3060..e8b714c8c 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -91,7 +91,6 @@ files_type(system_cron_spool_t)
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -464,6 +463,7 @@ allow system_cronjob_t cron_runtime_t:file manage_file_perms;
 files_runtime_filetrans(system_cronjob_t, cron_runtime_t, file)
 
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
 
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
-- 
cgit v1.2.3-65-gdbad