On Tue, Feb 25, 2020 at 3:03 PM <bill.c.roberts@xxxxxxxxx> wrote:
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index e531f927be1e..3704eabc7545 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -603,7 +603,8 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
> /* Check a permission in the passwd class.
> Return 0 if granted or -1 otherwise. */
> extern int selinux_check_passwd_access(access_vector_t requested);
> -extern int checkPasswdAccess(access_vector_t requested);
> +extern int checkPasswdAccess(access_vector_t requested)
> + __attribute__ ((deprecated("Use selinux_check_passwd_access")));
I'd actually recommend deprecating that one too and recommending the
use of selinux_check_access() instead.
That way they get dynamic lookup of the permission and handling of
per-domain permissive and handle_unknown settings.
Only drawback is that they have to call getprevcon_raw() themselves
first and pass it in.
