[RFC,SHADOW,5/7] selinux.c: use modern selabel interface instead of deprecated matchpathcon

Commit Message

Christian Göttsche April 13, 2021, 12:25 p.m. UTC

matchpathcon(3) is deprecated in favor of selabel_lookup(3).
---
 lib/selinux.c | 36 ++++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 12 deletions(-)

Patch

diff --git a/lib/selinux.c b/lib/selinux.c
index a2ea91c8..41f4371d 100644
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -35,7 +35,7 @@ 
 #include "defines.h"
 
 #include <selinux/selinux.h>
-#include <selinux/context.h>
+#include <selinux/label.h>
 #include "prototypes.h"
 
 static bool selinux_checked = false;
@@ -53,8 +53,6 @@  static bool selinux_enabled;
  */
 int set_selinux_file_context (const char *dst_name)
 {
-	/*@null@*/char *scontext = NULL;
-
 	if (!selinux_checked) {
 		selinux_enabled = is_selinux_enabled () > 0;
 		selinux_checked = true;
@@ -62,19 +60,33 @@  int set_selinux_file_context (const char *dst_name)
 
 	if (selinux_enabled) {
 		/* Get the default security context for this file */
-		if (matchpathcon (dst_name, 0, &scontext) < 0) {
-			if (security_getenforce () != 0) {
-				return 1;
+
+		/*@null@*/char *fcontext_raw = NULL;
+		struct selabel_handle *hnd;
+		int r;
+
+		hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+		if (hnd == NULL) {
+			return security_getenforce () != 0;
+		}
+
+		r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, 0);
+		selabel_close(hnd);
+		if (r < 0) {
+			/* No context specified for the searched path */
+			if (errno == ENOENT) {
+				return 0;
 			}
+
+			return security_getenforce () != 0;
 		}
+
 		/* Set the security context for the next created file */
-		if (setfscreatecon (scontext) < 0) {
-			if (security_getenforce () != 0) {
-				freecon (scontext);
-				return 1;
-			}
+		r = setfscreatecon_raw (fcontext_raw);
+		freecon (fcontext_raw);
+		if (r < 0) {
+			return security_getenforce () != 0;
 		}
-		freecon (scontext);
 	}
 	return 0;
 }