File vixie-cron-4.1-selinux.diff of Package cron

--- vixie-cron-4.1/Makefile
+++ vixie-cron-4.1/Makefile
@@ -60,7 +60,7 @@
 INCLUDE		=	-I.
 #INCLUDE	=
 #<<need getopt()>>
-LIBS		=	-lpam -lpam_misc
+LIBS		=	-lpam -lpam_misc -lselinux
 #<<optimize or debug?>>
 #CDEBUG		=	-O
 CDEBUG		=	-O2 -pipe
@@ -69,7 +69,7 @@
 #<<want to use a nonstandard CC?>>
 CC		=	gcc -Wall -Wno-unused -Wno-comment
 #<<manifest defines>>
-DEFS		=	-DWITH_PAM
+DEFS		=	-DWITH_PAM -DWITH_SELINUX
 #(SGI IRIX systems need this)
 #DEFS		=	-D_BSD_SIGNALS -Dconst=
 #<<the name of the BSD-like install program>>
--- vixie-cron-4.1/database.c
+++ vixie-cron-4.1/database.c
@@ -28,6 +28,15 @@
 
 #include "cron.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#define SYSUSERNAME "system_u"
+#else
+#define SYSUSERNAME "*system*"
+#endif
+
 #define TMAX(a,b) ((a)>(b)?(a):(b))
 
 static	void		process_crontab(const char *, const char *,
@@ -296,7 +305,7 @@
 	if (fname == NULL) {
 		/* must be set to something for logging purposes.
 		 */
-		fname = "*system*";
+		fname = SYSUSERNAME;
 	} else if ((pw = getpwnam(uname)) == NULL) {
 		/* file doesn't have a user in passwd file.
 		 */
@@ -358,6 +367,43 @@
 		free_user(u);
 		log_it(fname, getpid(), "RELOAD", tabname);
 	}
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled())	{
+	  security_context_t  file_context=NULL;
+	  security_context_t   user_context=NULL;
+	  struct av_decision avd;
+	  int retval=0;
+
+	  if (fgetfilecon(crontab_fd, &file_context) < OK) {
+	    log_it(fname, getpid(), "getfilecon FAILED", tabname);
+	    goto next_crontab;
+	  }
+
+	  /*
+	   * Since crontab files are not directly executed,
+	   * crond must ensure that the crontab file has
+	   * a context that is appropriate for the context of
+	   * the user cron job.  It performs an entrypoint
+	   * permission check for this purpose.
+	   */
+	  if (get_default_context(fname, NULL, &user_context)) {
+	    log_it(fname, getpid(), "NO CONTEXT", tabname);
+	    freecon(file_context);
+	    goto next_crontab;
+	  }
+	  retval = security_compute_av(user_context,
+				       file_context,
+				       SECCLASS_FILE,
+				       FILE__ENTRYPOINT,
+				       &avd);
+	  freecon(user_context);
+	  freecon(file_context);
+	  if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+	    log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+	    goto next_crontab;
+	  }
+	}
+#endif
 	u = load_user(crontab_fd, pw, fname);
 	if (u != NULL) {
 		u->mtime = statbuf->st_mtime;
--- vixie-cron-4.1/do_command.c
+++ vixie-cron-4.1/do_command.c
@@ -37,6 +37,10 @@
    }
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 static void		child_process(entry *, user *);
 static int		safe_p(const char *, const char *);
 
@@ -339,6 +343,20 @@
 				_exit(OK_EXIT);
 			}
 # endif /*DEBUGGING*/
+#ifdef WITH_SELINUX
+			if (is_selinux_enabled()) {
+			  security_context_t scontext;
+			  if (get_default_context(u->name, NULL, &scontext)) {
+			    fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name); 
+			    _exit(ERROR_EXIT);
+			  }
+			  if (setexeccon(scontext) < 0) {
+			    fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
+			    _exit(ERROR_EXIT);
+			  }
+			  freecon(scontext);
+			}
+#endif
 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
 			fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
 			perror("execl");