Index: refpolicy-2.20180114/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20180114/policy/modules/contrib/cron.if
@@ -51,15 +51,16 @@ template(`cron_common_crontab_template',
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	stem of domain for the role.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`cron_role',`
 	gen_require(`
-		type cronjob_t, crontab_t, crontab_exec_t;
-		type user_cron_spool_t, crond_t;
+		type cronjob_t;
+		type crontab_exec_t, crond_t;
+		type crontab_t, user_cron_spool_t;
 		bool cron_userdomain_transition;
 	')
 
@@ -68,47 +69,48 @@ interface(`cron_role',`
 	# Declarations
 	#
 
-	role $1 types { cronjob_t crontab_t };
+	role $1 types { cronjob_t };
+	role $1 types { crontab_t };
 
 	##############################
 	#
 	# Local policy
 	#
 
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
+	domtrans_pattern($2_t, crontab_exec_t, crontab_t)
 
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+	dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
+	allow $2_t crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	allow $2_t user_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
+	allow $2_t crontab_t:process { ptrace signal_perms };
+	ps_process_pattern($2_t, crontab_t)
 
 	corecmd_exec_bin(crontab_t)
 	corecmd_exec_shell(crontab_t)
 
 	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
+		allow crond_t $2_t:process transition;
+		allow crond_t $2_t:fd use;
+		allow crond_t $2_t:key manage_key_perms;
 
-		allow $2 user_cron_spool_t:file entrypoint;
+		allow $2_t user_cron_spool_t:file entrypoint;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+		allow $2_t crond_t:fifo_file rw_fifo_file_perms;
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
+		allow $2_t cronjob_t:process { ptrace signal_perms };
+		ps_process_pattern($2_t, cronjob_t)
 	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+		dontaudit crond_t $2_t:process transition;
+		dontaudit crond_t $2_t:fd use;
+		dontaudit crond_t $2_t:key manage_key_perms;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+		dontaudit $2_t user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+		dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
 
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
+		dontaudit $2_t cronjob_t:process { ptrace signal_perms };
 	')
 
 	optional_policy(`
@@ -118,7 +120,7 @@ interface(`cron_role',`
 
 		dbus_stub(cronjob_t)
 
-		allow cronjob_t $2:dbus send_msg;
+		allow cronjob_t $2_t:dbus send_msg;
 	')
 ')
 
Index: refpolicy-2.20180114/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20180114/policy/modules/roles/staff.te
@@ -82,7 +82,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(staff_r, staff_t)
+		cron_role(staff_r, staff)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20180114/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20180114/policy/modules/roles/unprivuser.te
@@ -50,7 +50,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(user_r, user_t)
+		cron_role(user_r, user)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20180114/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20180114/policy/modules/system/unconfined.te
@@ -76,7 +76,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_unconfined_role(unconfined_r, unconfined_t)
+	cron_role(unconfined_r, unconfined)
 ')
 
 optional_policy(`
Index: refpolicy-2.20180114/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20180114/policy/modules/contrib/cron.te
@@ -341,6 +341,7 @@ ifdef(`distro_debian',`
 	allow crond_t self:process setrlimit;
 
 	optional_policy(`
+		apt_domtrans(system_cronjob_t)
 		apt_manage_cache(system_cronjob_t)
 		apt_read_db(system_cronjob_t)
 
@@ -439,6 +440,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(crond_t)
 	systemd_dbus_chat_logind(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
@@ -461,7 +463,7 @@ allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
@@ -493,6 +495,11 @@ allow system_cronjob_t cron_spool_t:file
 
 allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
+# popcon wants to stat /proc/kmsg and /proc/kcore
+kernel_getattr_core_if(system_cronjob_t)
+kernel_getattr_message_if(system_cronjob_t)
+
+kernel_read_crypto_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -515,6 +522,8 @@ dev_getattr_all_blk_files(system_cronjob
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
 dev_read_sysfs(system_cronjob_t)
+# for checkarray to write to sync_action
+dev_rw_sysfs(system_cronjob_t)
 
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
@@ -537,6 +546,7 @@ files_read_var_files(system_cronjob_t)
 files_dontaudit_search_pids(system_cronjob_t)
 files_manage_generic_spool(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
+files_read_var_lib_symlinks(system_cronjob_t)
 
 mls_file_read_to_clearance(system_cronjob_t)
 
Index: refpolicy-2.20180114/policy/modules/contrib/cron.fc
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/cron.fc
+++ refpolicy-2.20180114/policy/modules/contrib/cron.fc
@@ -26,6 +26,7 @@
 /var/lib/glpi/files(/.*)?	gen_context(system_u:object_r:cron_var_lib_t,s0)
 
 /var/log/cron.*	gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/popularity-contest.*	gen_context(system_u:object_r:cron_log_t,s0)
 /var/log/rpmpkgs.*	--	gen_context(system_u:object_r:cron_log_t,s0)
 
 /run/anacron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
