SELinux/cron

Domains
The cron daemon itself (like vixie-cron) runs in the crond_t domain. Depending on the cron daemon used, this daemon either immediately executes the jobs (hence its ability to transition to various other domains) or does this through an intermediate domain (system_cronjob_t for system cronjobs and cronjob_t for user cronjobs).

The crontab_t and admin_crontab_t domains are used by the users (and administrators) for maintaining their crontab files. These files are read in by the cron daemon.

File types/labels
The following table lists the file type/labels defined in the cron module (part of the base policy).

Booleans
The cron domain supports the following SELinux booleans, which can be set / unset using the standard setsebool statements.

System administration
If you want to perform system administrative tasks using cronjobs, you will need to take special care that the domain in which the job runs has sufficient privileges.

First, make sure that your cronjobs run in the system_cronjob_t domains. This means that the cronjobs must be defined as either
 * scripts in the /etc/cron.hourly, /etc/cron.daily, ... directories
 * crontab entries in the /etc/cron.d directory
 * crontab entries in the /etc/crontab file

Next, verify that the commands you want to run (and thus their target domain in which they will run) are allowed for the system_cronjob_t domain.

For instance, to verify if we can call emerge: