aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nss/makedb.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/nss/makedb.c b/nss/makedb.c
index d3fc1c5..bcfa3c7 100644
--- a/nss/makedb.c
+++ b/nss/makedb.c
@@ -47,6 +47,7 @@
/* SELinux support. */
#ifdef HAVE_SELINUX
+# include <selinux/label.h>
# include <selinux/selinux.h>
#endif
@@ -855,18 +856,13 @@ print_database (int fd)
#ifdef HAVE_SELINUX
-/* security_context_t and matchpathcon (along with several other symbols) were
- marked as deprecated by the SELinux API starting from version 3.1. We use
- them here, but should eventually switch to the newer API. */
-DIAG_PUSH_NEEDS_COMMENT
-DIAG_IGNORE_NEEDS_COMMENT (10, "-Wdeprecated-declarations");
-
static void
set_file_creation_context (const char *outname, mode_t mode)
{
static int enabled;
static int enforcing;
- security_context_t ctx;
+ struct selabel_handle *label_hnd = NULL;
+ char* ctx;
/* Check if SELinux is enabled, and remember. */
if (enabled == 0)
@@ -878,9 +874,17 @@ set_file_creation_context (const char *outname, mode_t mode)
if (enforcing == 0)
enforcing = security_getenforce () ? 1 : -1;
+ /* Open the file contexts backend. */
+ label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (!label_hnd)
+ {
+ error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
+ gettext ("cannot initialize SELinux context"));
+ return;
+ }
/* Determine the context which the file should have. */
ctx = NULL;
- if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
+ if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0)
{
if (setfscreatecon (ctx) != 0)
error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
@@ -889,8 +893,10 @@ set_file_creation_context (const char *outname, mode_t mode)
freecon (ctx);
}
+
+ /* Close the file contexts backend. */
+ selabel_close(label_hnd);
}
-DIAG_POP_NEEDS_COMMENT
static void
reset_file_creation_context (void)