selinux: drop deprecated headers

The selinux guys want you to get class values at runtime by converting
textual names into constants.  Drop the deprecated headers and switch
to the new format.

This API has been around for years, so there shouldn't be an issue
with backwards compatibility.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>

diff --git a/include/libbb.h b/include/libbb.h
index a42a2fba89e9e68266be8ae7bfed947f68e86ec4..2e9ea46e2f0ce72800ddab6813210e9feddbfab2 100644 (file)
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -81,8 +81,6 @@
 #if ENABLE_SELINUX
 # include <selinux/selinux.h>
 # include <selinux/context.h>
-# include <selinux/flask.h>
-# include <selinux/av_permissions.h>
 #endif
 #if ENABLE_FEATURE_UTMP
 # if defined __UCLIBC__ && ( \

diff --git a/libbb/update_passwd.c b/libbb/update_passwd.c
index a2004f480ca757a2faf3d3f1918ec3a05e9c3ddb..6255af492a1f6893f70e8b38dc175bf5084895ac 100644 (file)
--- a/libbb/update_passwd.c
+++ b/libbb/update_passwd.c
@@ -30,7 +30,18 @@ static void check_selinux_update_passwd(const char *username)
        if (!seuser)
                bb_error_msg_and_die("invalid context '%s'", context);
        if (strcmp(seuser, username) != 0) {
-               if (checkPasswdAccess(PASSWD__PASSWD) != 0)
+               security_class_t tclass;
+               access_vector_t av;
+
+               tclass = string_to_security_class("passwd");
+               if (tclass == 0)
+                       goto die;
+               av = string_to_av_perm(tclass, "passwd");
+               if (av == 0)
+                       goto die;
+
+               if (selinux_check_passwd_access(av) != 0)
+ die:
                        bb_error_msg_and_die("SELinux: access denied");
        }
        if (ENABLE_FEATURE_CLEAN_UP)