dpkg: Use SELinux setexecfilecon() if available instead of ad-hoc code

There's no point in duplicating all this code in dpkg, when this is
provided now by libselinux.

3 files changed, 9 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 1680b24e9..d503006e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ dpkg (1.17.11) UNRELEASED; urgency=low
   * Changes to libcompat:
     - Make the library testable.
     - Do not run qsort() over the scandir() list if it is NULL.
+  * Use SELinux setexecfilecon() if available in dpkg instead of ad-hoc code.
 
   [ Updated programs translations ]
   * Danish (Joe Dalton). Closes: #754127
diff --git a/m4/dpkg-libs.m4 b/m4/dpkg-libs.m4
index b8e5ce9c8..2f3b76c44 100644
--- a/m4/dpkg-libs.m4
+++ b/m4/dpkg-libs.m4
@@ -88,6 +88,10 @@ if test "x$with_selinux" != "xno"; then
 		[if test -n "$with_selinux"; then
 			AC_MSG_FAILURE([selinux library not found])
 		 fi])
+	AC_CHECK_LIB([selinux], [setexecfilecon],
+		[AC_DEFINE([HAVE_SETEXECFILECON], [1],
+		           [Define to 1 if SELinux setexecfilecon is present])
+	])
 
 	AC_CHECK_HEADER([selinux/selinux.h],,
 		[if test -n "$with_selinux"; then
diff --git a/src/script.c b/src/script.c
index ea96fe17a..e776611bd 100644
--- a/src/script.c
+++ b/src/script.c
@@ -146,6 +146,9 @@ maintscript_set_exec_context(struct command *cmd, const char *fallback)
 {
 	int rc = 0;
 #ifdef WITH_SELINUX
+#if HAVE_SETEXECFILECON
+	rc = setexecfilecon(cmd->filename, fallback);
+#else
 	security_context_t curcon = NULL, newcon = NULL, filecon = NULL;
 	context_t tmpcon = NULL;
 
@@ -189,6 +192,7 @@ out:
 	freecon(curcon);
 	freecon(filecon);
 #endif
+#endif
 
 	return rc < 0 ? rc : 0;
 }