--- vixie-cron-3.0.1/Makefile.selinux	2003-05-20 14:52:06.000000000 -0400
+++ vixie-cron-3.0.1/Makefile	2003-05-20 14:52:21.000000000 -0400
@@ -71,7 +71,8 @@ LINTFLAGS	=	-hbxa $(INCLUDE) $(COMPAT) $
 #<<want to use a nonstandard CC?>>
 #CC		=	vcc
 #<<manifest defines>>
-DEFS		=
+DEFS		= -s -DWITH_SELINUX
+LIBS		+= 	-lselinux
 #(SGI IRIX systems need this)
 #DEFS		=	-D_BSD_SIGNALS -Dconst=
 #<<the name of the BSD-like install program>>
--- vixie-cron-3.0.1/database.c.selinux	2003-05-20 14:52:56.000000000 -0400
+++ vixie-cron-3.0.1/database.c	2003-05-23 13:27:24.898020960 -0400
@@ -28,6 +28,15 @@
 
 #include "cron.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#define SYSUSERNAME "system_u"
+#else
+#define SYSUSERNAME "*system*"
+#endif
+
 #define TMAX(a,b) ((a)>(b)?(a):(b))
 
 static	void		process_crontab(const char *, const char *,
@@ -217,7 +226,7 @@
 	if (fname == NULL) {
 		/* must be set to something for logging purposes.
 		 */
-		fname = "*system*";
+		fname = SYSUSERNAME;
 	} else if ((pw = getpwnam(uname)) == NULL) {
 		/* file doesn't have a user in passwd file.
 		 */
@@ -279,6 +288,43 @@
 		free_user(u);
 		log_it(fname, getpid(), "RELOAD", tabname);
 	}
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled())	{
+	  security_context_t  file_context=NULL;
+	  security_context_t   user_context=NULL;
+	  struct av_decision avd;
+	  int retval=0;
+
+	  if (fgetfilecon(crontab_fd, &file_context) < OK) {
+	    log_it(fname, getpid(), "getfilecon FAILED", tabname);
+	    goto next_crontab;
+	  }
+
+	  /*
+	   * Since crontab files are not directly executed,
+	   * crond must ensure that the crontab file has
+	   * a context that is appropriate for the context of
+	   * the user cron job.  It performs an entrypoint
+	   * permission check for this purpose.
+	   */
+	  if (get_default_context(fname, NULL, &user_context)) {
+	    log_it(fname, getpid(), "NO CONTEXT", tabname);
+	    freecon(file_context);
+	    goto next_crontab;
+	  }
+	  retval = security_compute_av(user_context,
+				       file_context,
+				       SECCLASS_FILE,
+				       FILE__ENTRYPOINT,
+				       &avd);
+	  freecon(user_context);
+	  freecon(file_context);
+	  if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+	    log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+	    goto next_crontab;
+	  }
+	}
+#endif
 	u = load_user(crontab_fd, pw, fname);
 	if (u != NULL) {
 		u->mtime = statbuf->st_mtime;
--- vixie-cron-3.0.1/do_command.c.selinux	2003-05-20 14:53:12.000000000 -0400
+++ vixie-cron-3.0.1/do_command.c	2003-05-20 14:58:06.000000000 -0400
@@ -25,6 +25,10 @@
 
 #include "cron.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 static void		child_process(entry *, user *);
 static int		safe_p(const char *, const char *);
 
@@ -265,6 +269,20 @@
 				_exit(OK_EXIT);
 			}
 # endif /*DEBUGGING*/
+#ifdef WITH_SELINUX
+			if (is_selinux_enabled()) {
+			  security_context_t scontext;
+			  if (get_default_context(u->name, NULL, &scontext)) {
+			    fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name); 
+			    _exit(ERROR_EXIT);
+			  }
+			  if (setexeccon(scontext) < 0) {
+			    fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
+			    _exit(ERROR_EXIT);
+			  }
+			  freecon(scontext);
+			}
+#endif
 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
 			fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
 			perror("execl");