From 5f7649fb37bfe66544bc3141c047f5d09c8eaef5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Fri, 9 Apr 2021 18:20:55 +0200 Subject: [PATCH] selinux.c: use modern selabel interface instead of deprecated matchpathcon MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit matchpathcon(3) is deprecated in favor of selabel_lookup(3). Signed-off-by: Christian Göttsche Acked-by: James Carter --- lib/selinux.c | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/lib/selinux.c b/lib/selinux.c index a2ea91c8..41f4371d 100644 --- a/lib/selinux.c +++ b/lib/selinux.c @@ -35,7 +35,7 @@ #include "defines.h" #include -#include +#include #include "prototypes.h" static bool selinux_checked = false; @@ -53,8 +53,6 @@ static bool selinux_enabled; */ int set_selinux_file_context (const char *dst_name) { - /*@null@*/char *scontext = NULL; - if (!selinux_checked) { selinux_enabled = is_selinux_enabled () > 0; selinux_checked = true; @@ -62,19 +60,33 @@ int set_selinux_file_context (const char *dst_name) if (selinux_enabled) { /* Get the default security context for this file */ - if (matchpathcon (dst_name, 0, &scontext) < 0) { - if (security_getenforce () != 0) { - return 1; - } + + /*@null@*/char *fcontext_raw = NULL; + struct selabel_handle *hnd; + int r; + + hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (hnd == NULL) { + return security_getenforce () != 0; } + + r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, 0); + selabel_close(hnd); + if (r < 0) { + /* No context specified for the searched path */ + if (errno == ENOENT) { + return 0; + } + + return security_getenforce () != 0; + } + /* Set the security context for the next created file */ - if (setfscreatecon (scontext) < 0) { - if (security_getenforce () != 0) { - freecon (scontext); - return 1; - } + r = setfscreatecon_raw (fcontext_raw); + freecon (fcontext_raw); + if (r < 0) { + return security_getenforce () != 0; } - freecon (scontext); } return 0; }