From feb482edd92b126cba06a12713ba9a5d9ec33ab2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 12:18:05 +0100
Subject: [PATCH] fix(profile): crontab editor issues with cronie

fix #479
---
 apparmor.d/groups/cron/crontab | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab
index 2743173f..1144b39c 100644
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@@ -14,11 +14,15 @@ profile crontab @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability audit_write,
+  capability chown,
   capability dac_read_search,
   capability net_admin,
   capability setgid,
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{sh_path}             rix,
@@ -29,12 +33,12 @@ profile crontab @{exec_path} {
   /etc/pam.d/* r,
   /etc/security/*.conf r,
 
-        /var/spool/cron/ r,
-        /var/spool/cron/crontabs/ rw,
-        /var/spool/cron/user r,
-  owner /var/spool/cron/crontabs/* rw,
+  /var/spool/cron/ r,
+  /var/spool/cron/** rw,
 
-  owner @{tmp}/crontab.@{rand6}/{,crontab} rw,
+  owner @{user_cache_dirs}/crontab/crontab.bak rw,
+
+  @{tmp}/crontab.@{rand6}/{,crontab} rwl,
 
   profile editor {
     include <abstractions/base>