From Debian package 0.2.20100524-11

  * Allow crond_t the sys_resource capability to set resource limits for
    children.

Index: policy/modules/services/cron.te
===================================================================
--- policy/modules/services/cron.te.orig
+++ policy/modules/services/cron.te
@@ -136,8 +136,8 @@
 # Cron daemon local policy
 #
 
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { dac_override setgid setuid sys_nice sys_resource dac_read_search };
+dontaudit crond_t self:capability { sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;