From 4414431f6b42d58746656f5cd0ebf6f9378448df Mon Sep 17 00:00:00 2001
From: atlant2011 <4iter-yes@rambler.ru>
Date: Tue, 13 Jul 2021 09:57:21 +0700
Subject: [PATCH 1/2] 1. remove link to header selinux/flask.h and
 selinux/av_permissions.h 2. simple move from constant's SECCLASS_FILE and
 FILE__ENTRYPOINT to functions string_to_security_class("file") and
 string_to_av_perm(tclass, "entrypoint") 3. NEED CHECK CORRECT RETURN AFTER
 FAILED RETURN FROM FUNCTION string_to_security_class ADN string_to_av_perm !
 Link to info from libselinux
 https://github.com/SELinuxProject/selinux/commit/76913d8adb61b5#diff-046564229793ada24798dac3d2e479f07651ac9020d43938f3aa1fa9c9c24c9e

---
 conf.c   | 26 +++++++++++++++++++++-----
 global.h |  2 --
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/conf.c b/conf.c
index eb43b54..62b4d26 100644
--- a/conf.c
+++ b/conf.c
@@ -453,7 +453,7 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup)
     int has_read_cl_first = 0;  /* have we read S_FIRST_T? */
 #ifdef WITH_SELINUX
     int flask_enabled = is_selinux_enabled();
-    int retval;
+    int retval = -1;
     struct av_decision avd;
     char *user_name = NULL;
 #endif
@@ -540,11 +540,27 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup)
         if (get_default_context(user_name, NULL, &cf->cf_user_context))
             error_e("NO CONTEXT for Linux user '%s' (SELinux user '%s')",
                     cf->cf_user, user_name);
-        retval =
-            security_compute_av(cf->cf_user_context, cf->cf_file_context,
-                                SECCLASS_FILE, FILE__ENTRYPOINT, &avd);
 
-        if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+        security_class_t tclass = string_to_security_class("file");
+        if (!tclass) {
+            error_e("Failed to translate security class file\n");
+            // FIXME need correct return!
+        }
+
+        access_vector_t bit = string_to_av_perm(tclass, "entrypoint");
+        if (!bit){
+            error_e("Failed to translate security class file\n");
+            // FIXME need correct return!
+        }
+
+        if ( (tclass) && (bit) )
+        {
+            retval =
+                security_compute_av(cf->cf_user_context, cf->cf_file_context,
+                                tclass, bit, &avd);
+        }
+
+        if (retval || ((bit & avd.allowed) != bit)) {
             syslog(LOG_ERR, "ENTRYPOINT FAILED for Linux user '%s' "
                    "(CONTEXT %s) for file CONTEXT %s", cf->cf_user,
                    cf->cf_user_context, cf->cf_file_context);
diff --git a/global.h b/global.h
index ce1d269..9421dcf 100644
--- a/global.h
+++ b/global.h
@@ -45,8 +45,6 @@
 #ifdef WITH_SELINUX
 #include <selinux.h>
 #include <get_context_list.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #endif
 
 #ifdef HAVE_GETOPT_H

From 6792e71c91552a44f14194ac7be9c92af3a66a54 Mon Sep 17 00:00:00 2001
From: Thibault Godouet <yo8192@users.noreply.github.com>
Date: Sat, 7 Aug 2021 14:43:57 +0100
Subject: [PATCH 2/2] read_conf() selinux: renamed vars and added error return

---
 conf.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/conf.c b/conf.c
index 62b4d26..2517475 100644
--- a/conf.c
+++ b/conf.c
@@ -541,34 +541,33 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup)
             error_e("NO CONTEXT for Linux user '%s' (SELinux user '%s')",
                     cf->cf_user, user_name);
 
-        security_class_t tclass = string_to_security_class("file");
-        if (!tclass) {
-            error_e("Failed to translate security class file\n");
-            // FIXME need correct return!
+        /* we no longer need those - clean them up */
+        Free_safe(sename);
+        Free_safe(selevl);
+
+        security_class_t sec_class = string_to_security_class("file");
+        if (!sec_class) {
+            error_e("Failed to translate security class 'file'\n");
+            goto err;
         }
 
-        access_vector_t bit = string_to_av_perm(tclass, "entrypoint");
-        if (!bit){
+        access_vector_t access_vec = string_to_av_perm(sec_class, "entrypoint");
+        if (!access_vec) {
             error_e("Failed to translate security class file\n");
-            // FIXME need correct return!
+            goto err;
         }
 
-        if ( (tclass) && (bit) )
-        {
-            retval =
-                security_compute_av(cf->cf_user_context, cf->cf_file_context,
-                                tclass, bit, &avd);
-        }
+        /* if we get here, sec_class and access_vec are both defined */
+        retval = security_compute_av(cf->cf_user_context, cf->cf_file_context,
+                                sec_class, access_vec, &avd);
 
-        if (retval || ((bit & avd.allowed) != bit)) {
+        if (retval || ((access_vec & avd.allowed) != access_vec)) {
             syslog(LOG_ERR, "ENTRYPOINT FAILED for Linux user '%s' "
                    "(CONTEXT %s) for file CONTEXT %s", cf->cf_user,
                    cf->cf_user_context, cf->cf_file_context);
             goto err;
         }
 
-        Free_safe(sename);
-        Free_safe(selevl);
     }
 #endif