chfs-chfn: remove deprecated selinux_check_passwd_access()

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/include/selinux-utils.h b/include/selinux-utils.h
index adb09de3dda7b9395f24efdf81e08bbd79a1f878..20054f6a521dd95a7b1660e7ebf0d1b4fe8e51bc 100644 (file)
--- a/include/selinux-utils.h
+++ b/include/selinux-utils.h
@@ -1,7 +1,7 @@
 #ifndef UTIL_LINUX_SELINUX_UTILS_H
 #define UTIL_LINUX_SELINUX_UTILS_H
 
-extern access_vector_t get_access_vector(const char *tclass, const char *op);
 extern int ul_setfscreatecon_from_file(char *orig_file);
+extern int ul_selinux_has_access(const char *classstr, const char *perm, char **user_cxt);
 
 #endif

diff --git a/lib/selinux-utils.c b/lib/selinux-utils.c
index 8ce1249ad5137f940a74a3228ab210d0db4c3dba..bd14d489ac358ceeb7eb0fad7fb72da4956ca323 100644 (file)
--- a/lib/selinux-utils.c
+++ b/lib/selinux-utils.c
@@ -6,13 +6,6 @@
 
 #include "selinux-utils.h"
 
-access_vector_t get_access_vector(const char *tclass, const char *op)
-{
-       security_class_t tc = string_to_security_class(tclass);
-
-       return tc ? string_to_av_perm(tc, op) : 0;
-}
-
 int ul_setfscreatecon_from_file(char *orig_file)
 {
        if (is_selinux_enabled() > 0) {
@@ -28,3 +21,28 @@ int ul_setfscreatecon_from_file(char *orig_file)
        }
        return 0;
 }
+
+/* returns 1 if user has access to @class and @perm ("passwd", "chfn")
+ *     or 0 on error,
+ *     or 0 if has no access -- in this case sets @user_cxt to user-context
+ */
+int ul_selinux_has_access(const char *classstr, const char *perm, char **user_cxt)
+{
+       char *user;
+       int rc;
+
+       if (user_cxt)
+               *user_cxt = NULL;
+
+       if (getprevcon(&user) != 0)
+               return 0;
+
+       rc = selinux_check_access(user, user, classstr, perm, NULL);
+       if (rc != 0 && user_cxt)
+               *user_cxt = user;
+       else
+               freecon(user);
+
+       return rc == 0 ? 1 : 0;
+}
+

diff --git a/login-utils/chfn.c b/login-utils/chfn.c
index f094cdeb7e0a9c60a41655d5e412153a9489369e..80ee7f9eb9218152b5c10047ed1c390411352f6c 100644 (file)
--- a/login-utils/chfn.c
+++ b/login-utils/chfn.c
@@ -438,22 +438,15 @@ int main(int argc, char **argv)
 
 #ifdef HAVE_LIBSELINUX
        if (is_selinux_enabled() > 0) {
-               if (uid == 0) {
-                       access_vector_t av = get_access_vector("passwd", "chfn");
+               char *user_cxt = NULL;
 
-                       if (selinux_check_passwd_access(av) != 0) {
-                               char *user_context;
-
-                               if (getprevcon(&user_context) < 0)
-                                       user_context = NULL;
+               if (uid == 0 && !ul_selinux_has_access("passwd", "chfn", &user_cxt))
+                       errx(EXIT_FAILURE,
+                            _("%s is not authorized to change "
+                              "the finger info of %s"),
+                            user_cxt ? : _("Unknown user context"),
+                            ctl.username);
 
-                               errx(EXIT_FAILURE,
-                                    _("%s is not authorized to change "
-                                      "the finger info of %s"),
-                                    user_context ? : _("Unknown user context"),
-                                    ctl.username);
-                       }
-               }
                if (ul_setfscreatecon_from_file(_PATH_PASSWD))
                        errx(EXIT_FAILURE,
                             _("can't set default context for %s"), _PATH_PASSWD);

diff --git a/login-utils/chsh.c b/login-utils/chsh.c
index 2c1efb1175cb9e7e88a83a806503374bf5f1ff55..3497120725decc969dd721ae83b503a0c4aaf068 100644 (file)
--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
@@ -287,21 +287,14 @@ int main(int argc, char **argv)
 
 #ifdef HAVE_LIBSELINUX
        if (is_selinux_enabled() > 0) {
-               if (uid == 0) {
-                       access_vector_t av = get_access_vector("passwd", "chsh");
+               char *user_cxt = NULL;
 
-                       if (selinux_check_passwd_access(av) != 0) {
-                               char *user_context;
-
-                               if (getprevcon(&user_context) < 0)
-                                       user_context = NULL;
+               if (uid == 0 && !ul_selinux_has_access("passwd", "chsh", &user_cxt))
+                       errx(EXIT_FAILURE,
+                            _("%s is not authorized to change the shell of %s"),
+                            user_cxt ? : _("Unknown user context"),
+                            pw->pw_name);
 
-                               errx(EXIT_FAILURE,
-                                    _("%s is not authorized to change the shell of %s"),
-                                    user_context ? : _("Unknown user context"),
-                                    pw->pw_name);
-                       }
-               }
                if (ul_setfscreatecon_from_file(_PATH_PASSWD) != 0)
                        errx(EXIT_FAILURE,
                             _("can't set default context for %s"), _PATH_PASSWD);