selinux.c: use modern selabel interface instead of deprecated matchpathcon

matchpathcon(3) is deprecated in favor of selabel_lookup(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>

lib/selinux.c

@@ -35,7 +35,7 @@
 #include "defines.h"
 
 #include <selinux/selinux.h>
-#include <selinux/context.h>
+#include <selinux/label.h>
 #include "prototypes.h"
 
 static bool selinux_checked = false;
@@ -53,8 +53,6 @@ static bool selinux_enabled;
  */
 int set_selinux_file_context (const char *dst_name)
 {
-	/*@null@*/char *scontext = NULL;
-
 	if (!selinux_checked) {
 		selinux_enabled = is_selinux_enabled () > 0;
 		selinux_checked = true;
@@ -62,19 +60,33 @@ int set_selinux_file_context (const char *dst_name)
 
 	if (selinux_enabled) {
 		/* Get the default security context for this file */
-		if (matchpathcon (dst_name, 0, &scontext) < 0) {
-			if (security_getenforce () != 0) {
-				return 1;
-			}
+
+		/*@null@*/char *fcontext_raw = NULL;
+		struct selabel_handle *hnd;
+		int r;
+
+		hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+		if (hnd == NULL) {
+			return security_getenforce () != 0;
 		}
+
+		r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, 0);
+		selabel_close(hnd);
+		if (r < 0) {
+			/* No context specified for the searched path */
+			if (errno == ENOENT) {
+				return 0;
+			}
+
+			return security_getenforce () != 0;
+		}
+
 		/* Set the security context for the next created file */
-		if (setfscreatecon (scontext) < 0) {
-			if (security_getenforce () != 0) {
-				freecon (scontext);
-				return 1;
-			}
+		r = setfscreatecon_raw (fcontext_raw);
+		freecon (fcontext_raw);
+		if (r < 0) {
+			return security_getenforce () != 0;
 		}
-		freecon (scontext);
 	}
 	return 0;
 }