chfn: chsh: use selinux_check_passwd_access()

* selinux/av_permissions.h and magic constants are deprecated, the
  recommended solution is to use string_to_security_class() and
  string_to_av_perm() to get access vector

* it also seems that selinux_check_passwd_access() does exactly the
  same as our checkAccess(), let's use it.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/login-utils/chfn.c b/login-utils/chfn.c
index b1c7ea25a22876188b61eadbbd4bdffbde9f4458..89e6bd7ecdfe7c9ee4effe8f1f565319c3329b6e 100644 (file)
--- a/login-utils/chfn.c
+++ b/login-utils/chfn.c
@@ -46,7 +46,6 @@
 
 #ifdef HAVE_LIBSELINUX
 # include <selinux/selinux.h>
-# include <selinux/av_permissions.h>
 # include "selinux_utils.h"
 #endif
 
@@ -424,7 +423,9 @@ int main(int argc, char **argv)
 #ifdef HAVE_LIBSELINUX
        if (is_selinux_enabled() > 0) {
                if (uid == 0) {
-                       if (checkAccess(ctl.username, PASSWD__CHFN) != 0) {
+                       access_vector_t av = get_access_vector("passwd", "chfn");
+
+                       if (selinux_check_passwd_access(av) != 0) {
                                security_context_t user_context;
                                if (getprevcon(&user_context) < 0)
                                        user_context = NULL;

diff --git a/login-utils/chsh.c b/login-utils/chsh.c
index d74a1f0f10a76a588218a2b02bcd6fd61daa9fb6..e9e51832d822e9f53cbef4d567d185af17ff506c 100644 (file)
--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
@@ -46,7 +46,6 @@
 
 #ifdef HAVE_LIBSELINUX
 # include <selinux/selinux.h>
-# include <selinux/av_permissions.h>
 # include "selinux_utils.h"
 #endif
 
@@ -257,7 +256,9 @@ int main(int argc, char **argv)
 #ifdef HAVE_LIBSELINUX
        if (is_selinux_enabled() > 0) {
                if (uid == 0) {
-                       if (checkAccess(pw->pw_name, PASSWD__CHSH) != 0) {
+                       access_vector_t av = get_access_vector("passwd", "chsh");
+
+                       if (selinux_check_passwd_access(av) != 0) {
                                security_context_t user_context;
                                if (getprevcon(&user_context) < 0)
                                        user_context =

diff --git a/login-utils/selinux_utils.c b/login-utils/selinux_utils.c
index e709d0030214873bceb99548e8355fe2cbc62a87..dfd696f3e8f574bb74338cfc678ce5191b07b32c 100644 (file)
--- a/login-utils/selinux_utils.c
+++ b/login-utils/selinux_utils.c
@@ -1,6 +1,4 @@
-#include <selinux/av_permissions.h>
 #include <selinux/context.h>
-#include <selinux/flask.h>
 #include <selinux/selinux.h>
 #include <stdio.h>
 #include <string.h>
@@ -8,31 +6,11 @@
 
 #include "selinux_utils.h"
 
-int checkAccess(char *chuser, int access)
+access_vector_t get_access_vector(const char *tclass, const char *op)
 {
-       int status = -1;
-       security_context_t user_context;
-       const char *user = NULL;
-       if (getprevcon(&user_context) == 0) {
-               context_t c = context_new(user_context);
-               user = context_user_get(c);
-               if (strcmp(chuser, user) == 0) {
-                       status = 0;
-               } else {
-                       struct av_decision avd;
-                       int retval = security_compute_av(user_context,
-                                                        user_context,
-                                                        SECCLASS_PASSWD,
-                                                        access,
-                                                        &avd);
-                       if ((retval == 0) &&
-                           ((access & avd.allowed) == (unsigned)access))
-                               status = 0;
-               }
-               context_free(c);
-               freecon(user_context);
-       }
-       return status;
+       security_class_t tc = string_to_security_class(tclass);
+
+       return tc ? string_to_av_perm(tc, op) : 0;
 }
 
 int setupDefaultContext(char *orig_file)

diff --git a/login-utils/selinux_utils.h b/login-utils/selinux_utils.h
index 5bf393c171308a5d2e9905cc2fd435cd42375da3..cf0ed662b3ade44aea8ff3fd768971014566e7b4 100644 (file)
--- a/login-utils/selinux_utils.h
+++ b/login-utils/selinux_utils.h
@@ -1,2 +1,7 @@
-extern int checkAccess(char *name,int access);
+#ifndef UTIL_LINUX_SELINUX_UTILS_H
+#define UTIL_LINUX_SELINUX_UTILS_H
+
+extern access_vector_t get_access_vector(const char *tclass, const char *op);
 extern int setupDefaultContext(char *orig_file);
+
+#endif