diff -up at-3.1.16/atd.c.noabort at-3.1.16/atd.c --- at-3.1.16/atd.c.noabort 2014-10-02 11:08:26.000000000 +0200 +++ at-3.1.16/atd.c 2014-11-06 16:07:54.851652541 +0100 @@ -221,7 +221,7 @@ static int set_selinux_context(const cha security_context_t user_context=NULL; security_context_t file_context=NULL; struct av_decision avd; - int retval=-1; + int retval=0; char *seuser=NULL; char *level=NULL; @@ -230,12 +230,9 @@ static int set_selinux_context(const cha free(seuser); free(level); if (retval) { - if (security_getenforce()==1) { - perr("execle: couldn't get security context for user %s\n", name); - } else { - syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name); - return -1; - } + lerr("execle: couldn't get security context for user %s\n", name); + retval = -1; + goto err; } } @@ -246,8 +243,11 @@ static int set_selinux_context(const cha * the user cron job. It performs an entrypoint * permission check for this purpose. */ - if (fgetfilecon(STDIN_FILENO, &file_context) < 0) - perr("fgetfilecon FAILED %s", filename); + if (fgetfilecon(STDIN_FILENO, &file_context) < 0) { + lerr("fgetfilecon FAILED %s", filename); + retval = -1; + goto err; + } retval = security_compute_av(user_context, file_context, @@ -256,25 +256,21 @@ static int set_selinux_context(const cha &avd); freecon(file_context); if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { - if (security_getenforce()==1) { - perr("Not allowed to set exec context to %s for user %s\n", user_context,name); - } else { - syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name); - retval = -1; - goto err; - } + lerr("Not allowed to set exec context to %s for user %s\n", user_context,name); + retval = -1; + goto err; } if (setexeccon(user_context) < 0) { - if (security_getenforce()==1) { - perr("Could not set exec context to %s for user %s\n", user_context,name); - retval = -1; - } else { - syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name); - } + lerr("Could not set exec context to %s for user %s\n", user_context,name); + retval = -1; + goto err; } err: - freecon(user_context); - return 0; + if (retval < 0 && security_getenforce() != 1) + retval = 0; + if (user_context) + freecon(user_context); + return retval; } #endif @@ -347,9 +343,12 @@ run_file(const char *filename, uid_t uid */ pid = fork(); - if (pid == -1) - perr("Cannot fork"); - + if (pid == -1) { + lerr("Cannot fork for job execution"); + free(mailname); + free(newname); + return; + } else if (pid != 0) { free(mailname); free(newname); @@ -667,15 +666,19 @@ run_loop() * up. */ - if (stat(".", &buf) == -1) - perr("Cannot stat " ATJOB_DIR); + if (stat(".", &buf) == -1) { + lerr("Cannot stat " ATJOB_DIR); + return next_job; + } if (nothing_to_do && buf.st_mtime <= last_chg) return next_job; last_chg = buf.st_mtime; - if ((spool = opendir(".")) == NULL) - perr("Cannot read " ATJOB_DIR); + if ((spool = opendir(".")) == NULL) { + lerr("Cannot read " ATJOB_DIR); + return next_job; + } run_batch = 0; nothing_to_do = 1; diff -up at-3.1.16/daemon.c.noabort at-3.1.16/daemon.c --- at-3.1.16/daemon.c.noabort 2014-09-30 08:29:02.000000000 +0200 +++ at-3.1.16/daemon.c 2014-11-06 15:37:22.109277583 +0100 @@ -83,6 +83,22 @@ perr(const char *fmt,...) } void +lerr(const char *fmt,...) +{ + char buf[1024]; + va_list args; + + va_start(args, fmt); + vsnprintf(buf, sizeof(buf), fmt, args); + va_end(args); + + if (daemon_debug) { + perror(buf); + } else + syslog(LOG_ERR, "%s: %m", buf); +} + +void pabort(const char *fmt,...) { char buf[1024]; diff -up at-3.1.16/daemon.h.noabort at-3.1.16/daemon.h --- at-3.1.16/daemon.h.noabort 2014-09-30 08:29:02.000000000 +0200 +++ at-3.1.16/daemon.h 2014-11-06 15:36:10.461660104 +0100 @@ -13,5 +13,8 @@ __attribute__((noreturn)) #endif perr (const char *fmt, ...); +void +lerr (const char *fmt, ...); + extern int daemon_debug; extern int daemon_foreground;