selinux: drop deprecated headers

The selinux guys want you to get class values at runtime by converting
textual names into constants.  Drop the deprecated headers and switch
to the new format.

This API has been around for years, so there shouldn't be an issue
with backwards compatibility.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>

2 files changed, 12 insertions, 3 deletions

diff --git a/include/libbb.h b/include/libbb.h
index a42a2fb..2e9ea46 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -81,8 +81,6 @@
 #if ENABLE_SELINUX
 # include <selinux/selinux.h>
 # include <selinux/context.h>
-# include <selinux/flask.h>
-# include <selinux/av_permissions.h>
 #endif
 #if ENABLE_FEATURE_UTMP
 # if defined __UCLIBC__ && ( \
diff --git a/libbb/update_passwd.c b/libbb/update_passwd.c
index a2004f4..6255af4 100644
--- a/libbb/update_passwd.c
+++ b/libbb/update_passwd.c
@@ -30,7 +30,18 @@ static void check_selinux_update_passwd(const char *username)
 	if (!seuser)
 		bb_error_msg_and_die("invalid context '%s'", context);
 	if (strcmp(seuser, username) != 0) {
-		if (checkPasswdAccess(PASSWD__PASSWD) != 0)
+		security_class_t tclass;
+		access_vector_t av;
+
+		tclass = string_to_security_class("passwd");
+		if (tclass == 0)
+			goto die;
+		av = string_to_av_perm(tclass, "passwd");
+		if (av == 0)
+			goto die;
+
+		if (selinux_check_passwd_access(av) != 0)
+ die:
 			bb_error_msg_and_die("SELinux: access denied");
 	}
 	if (ENABLE_FEATURE_CLEAN_UP)