cron: Use raw entrypoint rule for system_cronjob_t.

By using domain_entry_file() to provide the entrypoint permission, it makes
the spool file an executable, with unexpected access.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

1 files changed, 1 insertions, 1 deletions

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 9df1e306..e8b714c8 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -91,7 +91,6 @@ files_type(system_cron_spool_t)
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -464,6 +463,7 @@ allow system_cronjob_t cron_runtime_t:file manage_file_perms;
 files_runtime_filetrans(system_cronjob_t, cron_runtime_t, file)
 
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
 
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;