src/cron.c::main() has this call to set up the inotify file descriptor database.ifd = fd = inotify_init(); if (fd < 0) log_it("CRON", pid, "INFO", "Inotify init failed", errno); set_cron_watched(fd); But this means that fd is going to be leaked to it's children on exec. SELinux spotted denials that are almost certainly because of this leaked file descriptor across execve. I suggest using databse.ifd = fd = inotify_init1(IN_CLOEXEC) instead of just inotify_init()
Thanks for report. It's better to use fcntl here, because inotify_init1 is used since kernel-2.6.27 and cronie should be used also with older kernels.