From 48c4085004caad1ec928fa103b7f3e3fe684c826 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Apr 07 2020 11:16:48 +0000
Subject: Do not use deprecated flask.h and av_permissions.h


selinux/flask.h and selinux/av_permissions.h will be completely dropped in the
next SELinux release.

Use string_to_security_class() and string_to_av_perm() to get class and
permission values. The original hardcoded values could be invalid and are
deprecated as the whole flask.h and av_permissions.h header files.

---

diff --git a/userhelper.c b/userhelper.c
index 4177c89..f2afde7 100644
--- a/userhelper.c
+++ b/userhelper.c
@@ -48,8 +48,6 @@
 
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #endif
 
 #include "shvar.h"
@@ -111,7 +109,7 @@ static int checkAccess(unsigned int selaccess) {
     struct av_decision avd;
     int retval = security_compute_av(user_context,
 				     user_context,
-				     SECCLASS_PASSWD,
+				     string_to_security_class("passwd"),
 				     selaccess,
 				     &avd);
 	  
@@ -2267,7 +2265,8 @@ main(int argc, char **argv)
 	const char *new_home_phone;
 	const char *new_shell;
 #ifdef WITH_SELINUX
-	unsigned perm;
+	security_class_t class;
+	access_vector_t perm;
 #endif
 
 	/* State variable we pass around. */
@@ -2426,12 +2425,13 @@ main(int argc, char **argv)
 			user_name = g_strdup(argv[optind]);
 
 #ifdef WITH_SELINUX
+			class = string_to_security_class("passwd");
 			if (c_flag) 
-			  perm = PASSWD__PASSWD;
+			  perm = string_to_av_perm(class, "passwd");
 			else if (s_flag)
-			  perm = PASSWD__CHSH;
+			  perm = string_to_av_perm(class, "chsh");
 			else
-			  perm = PASSWD__CHFN;
+			  perm = string_to_av_perm(class, "chfn");
 
 			if (is_selinux_enabled() > 0 &&
 			    checkAccess(perm)!= 0) {