libcompat: Use string_to_security_class() instead of literal SECCLASS values

The <selinux/flask.h> header is deprecated, and warns to use
string_to_security_class() instead of macro values.

2 files changed, 9 insertions, 2 deletions

diff --git a/debian/changelog b/debian/changelog
index 420d94710..b611fd203 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,9 @@ dpkg (1.18.2) UNRELEASED; urgency=low
   * When sys_siglist is defined in the system, try to use NSIG as we cannot
     compute the array size with sizeof(). If NSIG is missing fallback to 32
     items. Prompted by Igor Pashev <pashev.igor@gmail.com>.
+  * Use string_to_security_class() instead of a literal SECCLASS value in
+    the setexecfilecon() libcompat function, as <selinux/flask.h> is now
+    deprecated.
   * Perl modules:
     - Remove non-functional timezone name support from
       Dpkg::Changelog::Entry::Debian.
diff --git a/lib/compat/selinux.c b/lib/compat/selinux.c
index 087317527..7d3b33a6b 100644
--- a/lib/compat/selinux.c
+++ b/lib/compat/selinux.c
@@ -24,7 +24,6 @@
 #include <stdlib.h>
 
 #include <selinux/selinux.h>
-#include <selinux/flask.h>
 #include <selinux/context.h>
 
 #include "compat.h"
@@ -35,6 +34,7 @@ setexecfilecon(const char *filename, const char *fallback)
 	int rc;
 
 	security_context_t curcon = NULL, newcon = NULL, filecon = NULL;
+	security_class_t seclass;
 	context_t tmpcon = NULL;
 
 	if (is_selinux_enabled() < 1)
@@ -48,7 +48,11 @@ setexecfilecon(const char *filename, const char *fallback)
 	if (rc < 0)
 		goto out;
 
-	rc = security_compute_create(curcon, filecon, SECCLASS_PROCESS, &newcon);
+	seclass = string_to_security_class("process");
+	if (seclass == 0)
+		goto out;
+
+	rc = security_compute_create(curcon, filecon, seclass, &newcon);
 	if (rc < 0)
 		goto out;