From 48c4085004caad1ec928fa103b7f3e3fe684c826 Mon Sep 17 00:00:00 2001

From: Petr Lautrbach <plautrba@redhat.com>

Date: Apr 07 2020 11:16:48 +0000

Subject: Do not use deprecated flask.h and av_permissions.h

selinux/flask.h and selinux/av_permissions.h will be completely dropped in the

next SELinux release.

Use string_to_security_class() and string_to_av_perm() to get class and

permission values. The original hardcoded values could be invalid and are

deprecated as the whole flask.h and av_permissions.h header files.

---

diff --git a/userhelper.c b/userhelper.c

index 4177c89..f2afde7 100644

--- a/userhelper.c

+++ b/userhelper.c

@@ -48,8 +48,6 @@

 #ifdef WITH_SELINUX

 #include <selinux/selinux.h>

-#include <selinux/flask.h>

-#include <selinux/av_permissions.h>

 #endif

 #include "shvar.h"

@@ -111,7 +109,7 @@ static int checkAccess(unsigned int selaccess) {

     struct av_decision avd;

     int retval = security_compute_av(user_context,

 				     user_context,

-				     SECCLASS_PASSWD,

+				     string_to_security_class("passwd"),

 				     selaccess,

 				     &avd);

@@ -2267,7 +2265,8 @@ main(int argc, char **argv)

 	const char *new_home_phone;

 	const char *new_shell;

 #ifdef WITH_SELINUX

-	unsigned perm;

+	security_class_t class;

+	access_vector_t perm;

 #endif

 	/* State variable we pass around. */

@@ -2426,12 +2425,13 @@ main(int argc, char **argv)

 			user_name = g_strdup(argv[optind]);

 #ifdef WITH_SELINUX

+			class = string_to_security_class("passwd");

 			if (c_flag) 

-			  perm = PASSWD__PASSWD;

+			  perm = string_to_av_perm(class, "passwd");

 			else if (s_flag)

-			  perm = PASSWD__CHSH;

+			  perm = string_to_av_perm(class, "chsh");

 			else

-			  perm = PASSWD__CHFN;

+			  perm = string_to_av_perm(class, "chfn");

 			if (is_selinux_enabled() > 0 &&

 			    checkAccess(perm)!= 0) {