diff -up at-3.1.11/atd.c.selinux at-3.1.11/atd.c
--- at-3.1.11/atd.c.selinux	2009-10-05 12:56:24.573344967 +0200
+++ at-3.1.11/atd.c	2009-10-05 13:01:55.991338568 +0200
@@ -74,6 +74,14 @@
 #include <syslog.h>
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+int selinux_enabled=0;
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif
+
 /* Local headers */
 
 #include "privs.h"
@@ -204,6 +212,68 @@ myfork()
 #define ATD_MAIL_NAME    "mailx"
 #endif
 
+#ifdef WITH_SELINUX
+static int set_selinux_context(const char *name, const char *filename) {
+	security_context_t user_context=NULL;
+	security_context_t  file_context=NULL;
+	struct av_decision avd;
+	int retval=-1;
+	char *seuser=NULL;
+	char *level=NULL;
+
+	if (getseuserbyname(name, &seuser, &level) == 0) {
+		retval=get_default_context_with_level(seuser, level, NULL, &user_context);
+		free(seuser);
+		free(level);
+		if (retval) {
+			if (security_getenforce()==1) {
+				perr("execle: couldn't get security context for user %s\n", name);
+			} else {
+				syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
+				return -1;
+			}
+		}
+	}
+
+	/*
+	* Since crontab files are not directly executed,
+	* crond must ensure that the crontab file has
+	* a context that is appropriate for the context of
+	* the user cron job.  It performs an entrypoint
+	* permission check for this purpose.
+	*/
+	if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+		perr("fgetfilecon FAILED %s", filename);
+
+	retval = security_compute_av(user_context,
+                                    file_context,
+                                    SECCLASS_FILE,
+                                    FILE__ENTRYPOINT,
+                                    &avd);
+	freecon(file_context);
+	if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+		if (security_getenforce()==1) {
+			perr("Not allowed to set exec context to %s for user  %s\n", user_context,name);
+		} else {
+			syslog(LOG_ERR, "Not allowed to set exec context to %s for user  %s\n", user_context,name);
+			retval = -1;
+			goto err;
+		}
+	}
+	if (setexeccon(user_context) < 0) {
+		if (security_getenforce()==1) {
+			perr("Could not set exec context to %s for user  %s\n", user_context,name);
+			retval = -1;
+		} else {
+			syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,name);
+		}
+	}
+  err:
+	freecon(user_context);
+	return 0;
+}
+#endif
+
 static void
 run_file(const char *filename, uid_t uid, gid_t gid)
 {
@@ -454,6 +524,13 @@ run_file(const char *filename, uid_t uid
 
 	    chdir("/");
 
+#ifdef WITH_SELINUX
+           if (selinux_enabled > 0) {
+               if (set_selinux_context(pentry->pw_name, filename) < 0)
+                       perr("SELinux Failed to set context\n");
+           }
+#endif
+
 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
 		perr("Exec failed for /bin/sh");
 #ifdef  WITH_PAM
@@ -535,10 +612,24 @@ run_file(const char *filename, uid_t uid
 
 	    chdir ("/");
 
+#ifdef WITH_SELINUX
+           if (selinux_enabled>0) {
+               if (set_selinux_context(pentry->pw_name, filename) < 0)
+                   perr("SELinux Failed to set context\n");
+           }
+#endif
+
            execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);
 	    perr("Exec failed for mail command");
 	    exit(-1);
 
+#ifdef WITH_SELINUX
+           if (selinux_enabled>0)
+               if (setexeccon(NULL) < 0)
+                   if (security_getenforce()==1)
+                       perr("Could not reset exec context for user %s\n", pentry->pw_name);
+#endif
+
 	PRIV_END
    }
    else if ( mail_pid == -1 ) {
@@ -754,6 +845,10 @@ main(int argc, char *argv[])
     struct passwd *pwe;
     struct group *ge;
 
+#ifdef WITH_SELINUX
+    selinux_enabled=is_selinux_enabled();
+#endif
+
 /* We don't need root privileges all the time; running under uid and gid
  * daemon is fine.
  */
diff -up at-3.1.11/config.h.in.selinux at-3.1.11/config.h.in
--- at-3.1.11/config.h.in.selinux	2009-10-05 12:56:24.573344967 +0200
+++ at-3.1.11/config.h.in	2009-10-05 12:56:24.590350404 +0200
@@ -77,6 +77,9 @@
 /* Define if you are building with_pam */
 #undef WITH_PAM
 
+/* Define if you are building with_selinux  */
+#undef WITH_SELINUX
+
 /* Define to 1 if you have the `pstat_getdynamic' function. */
 #undef HAVE_PSTAT_GETDYNAMIC
 
diff -up at-3.1.11/configure.ac.selinux at-3.1.11/configure.ac
--- at-3.1.11/configure.ac.selinux	2009-10-05 12:56:24.574344835 +0200
+++ at-3.1.11/configure.ac	2009-10-05 12:56:24.591350062 +0200
@@ -308,5 +308,13 @@ AC_DEFINE(WITH_PAM),
 AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
 AC_SUBST(PAMLIB)
 
+AC_ARG_WITH(selinux,
+[ --with-selinux       Define to run with selinux],
+AC_DEFINE(WITH_SELINUX),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
 AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 batch)
 AC_OUTPUT
diff -up at-3.1.11/Makefile.in.selinux at-3.1.11/Makefile.in
--- at-3.1.11/Makefile.in.selinux	2009-10-05 12:56:24.509607000 +0200
+++ at-3.1.11/Makefile.in	2009-10-05 12:56:24.592345179 +0200
@@ -39,6 +39,7 @@ LIBS		= @LIBS@
 LIBOBJS		= @LIBOBJS@
 INSTALL		= @INSTALL@
 PAMLIB          = @PAMLIB@
+SELINUXLIB	= @SELINUXLIB@
 
 CLONES		= atq atrm 
 ATOBJECTS	= at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o