chfn: chsh: use selinux_check_passwd_access()

* selinux/av_permissions.h and magic constants are deprecated, the
  recommended solution is to use string_to_security_class() and
  string_to_av_perm() to get access vector

* it also seems that selinux_check_passwd_access() does exactly the
  same as our checkAccess(), let's use it.

Signed-off-by: Karel Zak <kzak@redhat.com>

4 files changed, 16 insertions, 31 deletions

diff --git a/login-utils/chfn.c b/login-utils/chfn.c
index b1c7ea25a..89e6bd7ec 100644
--- a/login-utils/chfn.c
+++ b/login-utils/chfn.c
@@ -46,7 +46,6 @@
 
 #ifdef HAVE_LIBSELINUX
 # include <selinux/selinux.h>
-# include <selinux/av_permissions.h>
 # include "selinux_utils.h"
 #endif
 
@@ -424,7 +423,9 @@ int main(int argc, char **argv)
 #ifdef HAVE_LIBSELINUX
 	if (is_selinux_enabled() > 0) {
 		if (uid == 0) {
-			if (checkAccess(ctl.username, PASSWD__CHFN) != 0) {
+			access_vector_t av = get_access_vector("passwd", "chfn");
+
+			if (selinux_check_passwd_access(av) != 0) {
 				security_context_t user_context;
 				if (getprevcon(&user_context) < 0)
 					user_context = NULL;
diff --git a/login-utils/chsh.c b/login-utils/chsh.c
index d74a1f0f1..e9e51832d 100644
--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
@@ -46,7 +46,6 @@
 
 #ifdef HAVE_LIBSELINUX
 # include <selinux/selinux.h>
-# include <selinux/av_permissions.h>
 # include "selinux_utils.h"
 #endif
 
@@ -257,7 +256,9 @@ int main(int argc, char **argv)
 #ifdef HAVE_LIBSELINUX
 	if (is_selinux_enabled() > 0) {
 		if (uid == 0) {
-			if (checkAccess(pw->pw_name, PASSWD__CHSH) != 0) {
+			access_vector_t av = get_access_vector("passwd", "chsh");
+
+			if (selinux_check_passwd_access(av) != 0) {
 				security_context_t user_context;
 				if (getprevcon(&user_context) < 0)
 					user_context =
diff --git a/login-utils/selinux_utils.c b/login-utils/selinux_utils.c
index e709d0030..dfd696f3e 100644
--- a/login-utils/selinux_utils.c
+++ b/login-utils/selinux_utils.c
@@ -1,6 +1,4 @@
-#include <selinux/av_permissions.h>
 #include <selinux/context.h>
-#include <selinux/flask.h>
 #include <selinux/selinux.h>
 #include <stdio.h>
 #include <string.h>
@@ -8,31 +6,11 @@
 
 #include "selinux_utils.h"
 
-int checkAccess(char *chuser, int access)
+access_vector_t get_access_vector(const char *tclass, const char *op)
 {
-	int status = -1;
-	security_context_t user_context;
-	const char *user = NULL;
-	if (getprevcon(&user_context) == 0) {
-		context_t c = context_new(user_context);
-		user = context_user_get(c);
-		if (strcmp(chuser, user) == 0) {
-			status = 0;
-		} else {
-			struct av_decision avd;
-			int retval = security_compute_av(user_context,
-							 user_context,
-							 SECCLASS_PASSWD,
-							 access,
-							 &avd);
-			if ((retval == 0) &&
-			    ((access & avd.allowed) == (unsigned)access))
-				status = 0;
-		}
-		context_free(c);
-		freecon(user_context);
-	}
-	return status;
+	security_class_t tc = string_to_security_class(tclass);
+
+	return tc ? string_to_av_perm(tc, op) : 0;
 }
 
 int setupDefaultContext(char *orig_file)
diff --git a/login-utils/selinux_utils.h b/login-utils/selinux_utils.h
index 5bf393c17..cf0ed662b 100644
--- a/login-utils/selinux_utils.h
+++ b/login-utils/selinux_utils.h
@@ -1,2 +1,7 @@
-extern int checkAccess(char *name,int access);
+#ifndef UTIL_LINUX_SELINUX_UTILS_H
+#define UTIL_LINUX_SELINUX_UTILS_H
+
+extern access_vector_t get_access_vector(const char *tclass, const char *op);
 extern int setupDefaultContext(char *orig_file);
+
+#endif