diff --git a/SOURCES/cronie-1.4.11-anacron-mailto.patch b/SOURCES/cronie-1.4.11-anacron-mailto.patch
new file mode 100644
index 0000000..12078d0
--- /dev/null
+++ b/SOURCES/cronie-1.4.11-anacron-mailto.patch
@@ -0,0 +1,90 @@
+diff -up cronie-1.4.11/anacron/runjob.c.mailto cronie-1.4.11/anacron/runjob.c
+--- cronie-1.4.11/anacron/runjob.c.mailto 2013-07-18 14:27:08.000000000 +0200
++++ cronie-1.4.11/anacron/runjob.c 2017-03-07 14:00:06.968348389 +0100
+@@ -88,10 +88,18 @@ static char *
+ username(void)
+ {
+ struct passwd *ps;
++ static char *user;
++
++ if (user)
++ return user;
+
+ ps = getpwuid(geteuid());
+- if (ps == NULL) die_e("getpwuid() error");
+- return ps->pw_name;
++ if (ps == NULL || ps->pw_name == NULL) die_e("getpwuid() error");
++
++ user = strdup(ps->pw_name);
++ if (user == NULL) die_e("memory allocation error");
++
++ return user;
+ }
+
+ static void
+@@ -167,6 +175,12 @@ launch_mailer(job_rec *jr)
+ pid_t pid;
+ struct stat buf;
+
++ if (jr->mailto == NULL)
++ {
++ explain("Empty MAILTO set, not mailing output");
++ return;
++ }
++
+ /* Check that we have a way of sending mail. */
+ if(stat(SENDMAIL, &buf))
+ {
+@@ -245,14 +259,12 @@ launch_job(job_rec *jr)
+ }
+
+ setup_env(jr);
+-
++
+ /* Get the destination email address if set, or current user otherwise */
+ mailto = getenv("MAILTO");
+
+- if (mailto)
+- jr->mailto = mailto;
+- else
+- jr->mailto = username ();
++ if (mailto == NULL)
++ mailto = username();
+
+ /* create temporary file for stdout and stderr of the job */
+ temp_file(jr); fd = jr->output_fd;
+@@ -262,11 +274,7 @@ launch_job(job_rec *jr)
+ xwrite(fd, username());
+ xwrite(fd, ">\n");
+ xwrite(fd, "To: ");
+- if (mailto) {
+- xwrite(fd, mailto);
+- } else {
+- xwrite(fd, username());
+- }
++ xwrite(fd, mailto);
+ xwrite(fd, "\n");
+ xwrite(fd, "Content-Type: text/plain; charset=\"");
+ xwrite(fd, nl_langinfo(CODESET));
+@@ -277,6 +285,12 @@ launch_job(job_rec *jr)
+ xwrite(fd, hostname);
+ xwrite(fd, "\n\n");
+
++ if (*mailto == '\0')
++ jr->mailto = NULL;
++ else
++ /* ugly but works without strdup() */
++ jr->mailto = mailto;
++
+ jr->mail_header_size = file_size(fd);
+
+ pid = xfork();
+@@ -305,7 +319,7 @@ tend_job(job_rec *jr, int status)
+ if (file_size(jr->output_fd) > jr->mail_header_size) mail_output = 1;
+ else mail_output = 0;
+
+- m = mail_output ? " (mailing output)" : "";
++ m = mail_output ? " (produced output)" : "";
+ if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ explain("Job `%s' terminated%s", jr->ident, m);
+ else if (WIFEXITED(status))
diff --git a/SOURCES/cronie-1.4.11-crontab-root.patch b/SOURCES/cronie-1.4.11-crontab-root.patch
new file mode 100644
index 0000000..5002eec
--- /dev/null
+++ b/SOURCES/cronie-1.4.11-crontab-root.patch
@@ -0,0 +1,12 @@
+diff -up cronie-1.4.11/src/crontab.c.root cronie-1.4.11/src/crontab.c
+--- cronie-1.4.11/src/crontab.c.root 2017-03-07 13:52:23.000000000 +0100
++++ cronie-1.4.11/src/crontab.c 2017-03-07 13:53:40.491278915 +0100
+@@ -170,7 +170,7 @@ int main(int argc, char *argv[]) {
+ }
+
+ #if defined(WITH_PAM)
+- if (cron_start_pam(pw) != PAM_SUCCESS) {
++ if (getuid() != 0 && cron_start_pam(pw) != PAM_SUCCESS) {
+ fprintf(stderr,
+ "You (%s) are not allowed to access to (%s) because of pam configuration.\n",
+ User, ProgramName);
diff --git a/SOURCES/cronie-1.4.11-man-file.patch b/SOURCES/cronie-1.4.11-man-file.patch
new file mode 100644
index 0000000..6309a68
--- /dev/null
+++ b/SOURCES/cronie-1.4.11-man-file.patch
@@ -0,0 +1,15 @@
+diff -up cronie-1.4.11/man/crontab.1.man-file cronie-1.4.11/man/crontab.1
+--- cronie-1.4.11/man/crontab.1.man-file 2013-07-18 14:27:08.000000000 +0200
++++ cronie-1.4.11/man/crontab.1 2017-03-07 13:56:19.650013901 +0100
+@@ -44,8 +44,9 @@ crontab \- maintains crontab files for i
+ .BR -c
+ .SH DESCRIPTION
+ .I Crontab
+-is the program used to install, remove or list the tables used to serve
+-the
++is the program used to install a crontab table
++.IR file ,
++remove or list the existing tables used to serve the
+ .BR cron (8)
+ daemon. Each user can have their own crontab, and though these are files
+ in
diff --git a/SOURCES/cronie-1.4.11-selinux-user.patch b/SOURCES/cronie-1.4.11-selinux-user.patch
new file mode 100644
index 0000000..d2db9ec
--- /dev/null
+++ b/SOURCES/cronie-1.4.11-selinux-user.patch
@@ -0,0 +1,55 @@
+diff -up cronie-1.4.11/src/security.c.selinux-user cronie-1.4.11/src/security.c
+--- cronie-1.4.11/src/security.c.selinux-user 2017-03-07 13:52:23.076462218 +0100
++++ cronie-1.4.11/src/security.c 2017-03-07 14:47:32.957371610 +0100
+@@ -41,8 +41,6 @@
+ #ifdef WITH_SELINUX
+ # include <selinux/selinux.h>
+ # include <selinux/context.h>
+-# include <selinux/flask.h>
+-# include <selinux/av_permissions.h>
+ # include <selinux/get_context_list.h>
+ #endif
+
+@@ -476,7 +474,9 @@ get_security_context(const char *name, i
+ security_context_t scontext = NULL;
+ security_context_t file_context = NULL;
+ security_context_t rawcontext=NULL;
+- int retval = 0;
++ context_t current_context = NULL;
++ int retval;
++ char *current_context_str = NULL;
+ char *seuser = NULL;
+ char *level = NULL;
+
+@@ -490,10 +490,29 @@ get_security_context(const char *name, i
+ log_it(name, getpid(), "getseuserbyname FAILED", name, 0);
+ return (security_getenforce() > 0);
+ }
++
++ retval = get_default_context_with_level(seuser, level, NULL, &scontext);
++ }
++ else {
++ if (getcon(¤t_context_str) < 0) {
++ log_it(name, getpid(), "getcon FAILED", "", 0);
++ return (security_getenforce() > 0);
++ }
++
++ current_context = context_new(current_context_str);
++ if (current_context == NULL) {
++ log_it(name, getpid(), "context_new FAILED", current_context_str, 0);
++ freecon(current_context_str);
++ return (security_getenforce() > 0);
++ }
++
++ const char *current_user = context_user_get(current_context);
++ retval = get_default_context_with_level(current_user, level, NULL, &scontext);
++
++ freecon(current_context_str);
++ context_free(current_context);
+ }
+
+- retval = get_default_context_with_level(name == NULL ? "system_u" : seuser,
+- level, NULL, &scontext);
+ if (selinux_trans_to_raw_context(scontext, &rawcontext) == 0) {
+ freecon(scontext);
+ scontext = rawcontext;
diff --git a/SPECS/cronie.spec b/SPECS/cronie.spec
index b5dbdfd..8508969 100644
--- a/SPECS/cronie.spec
+++ b/SPECS/cronie.spec
@@ -6,7 +6,7 @@
Summary: Cron daemon for executing programs at set times
Name: cronie
Version: 1.4.11
-Release: 14%{?dist}.1
+Release: 17%{?dist}
License: MIT and BSD and ISC and GPLv2+
Group: System Environment/Base
URL: https://fedorahosted.org/cronie
@@ -20,6 +20,10 @@ Patch5: cronie-unitfile.patch
Patch6: cronie-1.4.11-refresh-users.patch
Patch7: cronie-1.4.11-shutdown-msg.patch
Patch8: cronie-1.4.11-temp-name.patch
+Patch9: cronie-1.4.11-anacron-mailto.patch
+Patch10: cronie-1.4.11-crontab-root.patch
+Patch11: cronie-1.4.11-man-file.patch
+Patch12: cronie-1.4.11-selinux-user.patch
Requires: dailyjobs
@@ -93,6 +97,10 @@ extra features.
%patch6 -p1 -b .refresh-users
%patch7 -p1 -b .shutdown-msg
%patch8 -p1 -b .temp-name
+%patch9 -p1 -b .mailto
+%patch10 -p1 -b .root
+%patch11 -p1 -b .man-file
+%patch12 -p1 -b .selinux-user
%build
%configure \
@@ -217,7 +225,18 @@ exit 0
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/dailyjobs
%changelog
-* Tue Jan 23 2016 Tomáš Mráz <tmraz@redhat.com> - 1.4.11-14.1
+* Wed Mar 29 2017 Tomáš Mráz <tmraz@redhat.com> - 1.4.11-18
+- make anacron not to contradict itself in syslog
+ (job output does not have to be necessarily mailed)
+
+* Tue Mar 7 2017 Tomáš Mráz <tmraz@redhat.com> - 1.4.11-16
+- disable mail from anacron with empty MAILTO
+- crontab: do not block access with PAM when running as root
+- improve the crontab man page
+- do not hardcode system_u selinux user but use the user from
+ the current context
+
+* Tue Feb 23 2016 Tomáš Mráz <tmraz@redhat.com> - 1.4.11-15
- crontab: use temporary filename properly ignored by crond
* Tue Apr 21 2015 Tomáš Mráz <tmraz@redhat.com> - 1.4.11-14