From dd5ef107adfe2c05f7d2e3e3543d3c042868b6fb Mon Sep 17 00:00:00 2001
From: Karel Zak
Date: Tue, 14 Jun 2016 13:15:44 +0200
Subject: chfn: chsh: use selinux_check_passwd_access()

* selinux/av_permissions.h and magic constants are deprecated, the
  recommended solution is to use string_to_security_class() and
  string_to_av_perm() to get access vector

* it also seems that selinux_check_passwd_access() does exactly the
  same as our checkAccess(), let's use it.

Signed-off-by: Karel Zak <kzak@redhat.com>
---
 login-utils/selinux_utils.c | 30 ++++--------------------------
 1 file changed, 4 insertions(+), 26 deletions(-)

(limited to 'login-utils/selinux_utils.c')

diff --git a/login-utils/selinux_utils.c b/login-utils/selinux_utils.c
index e709d0030..dfd696f3e 100644
--- a/login-utils/selinux_utils.c
+++ b/login-utils/selinux_utils.c
@@ -1,6 +1,4 @@
-#include <selinux/av_permissions.h>
 #include <selinux/context.h>
-#include <selinux/flask.h>
 #include <selinux/selinux.h>
 #include <stdio.h>
 #include <string.h>
@@ -8,31 +6,11 @@
 
 #include "selinux_utils.h"
 
-int checkAccess(char *chuser, int access)
+access_vector_t get_access_vector(const char *tclass, const char *op)
 {
-	int status = -1;
-	security_context_t user_context;
-	const char *user = NULL;
-	if (getprevcon(&user_context) == 0) {
-		context_t c = context_new(user_context);
-		user = context_user_get(c);
-		if (strcmp(chuser, user) == 0) {
-			status = 0;
-		} else {
-			struct av_decision avd;
-			int retval = security_compute_av(user_context,
-							 user_context,
-							 SECCLASS_PASSWD,
-							 access,
-							 &avd);
-			if ((retval == 0) &&
-			    ((access & avd.allowed) == (unsigned)access))
-				status = 0;
-		}
-		context_free(c);
-		freecon(user_context);
-	}
-	return status;
+	security_class_t tc = string_to_security_class(tclass);
+
+	return tc ? string_to_av_perm(tc, op) : 0;
 }
 
 int setupDefaultContext(char *orig_file)
-- 
cgit v1.2.3-55-g7522