Use selabel interfaces instead of matchpathcon

This replaces the old matchpathcon interfaces with the new selabel
interfaces for relabeling files, storing an selabel handle in the
transaction set.

With this change, also comes an added distinction between --nocontexts
being specified and a failure to read the load file contexts.
Previously, there was no distinction, and both cases used the
RPMTRANS_FLAG_NOCONTEXTS flag.

However, with the new policy plugin, it is necessary to make such a
distinction. This is because matchpathcon_init (now selabel interfaces)
can fail at the beginning of the transaction, but succeed later after
new policy is installed. Because of this, we may need to enable/disable
RPMTRANS_FLAG_NOCONTEXTS multiple times. However, because this flag
could also mean --nocontexts, we cannot do that. By storing the selabel
handle in the rpmts, we can easily keep track if the handle has been
successfully created, rather than overloading RPMTRANS_FLAG_NOCONTEXTS
with two meanings.

1 files changed, 13 insertions, 0 deletions

diff --git a/configure.ac b/configure.ac
index a33d8be48..c593b6c17 100644
--- a/configure.ac
+++ b/configure.ac
@@ -577,6 +577,19 @@ AS_IF([test "$with_selinux" = yes],[
   ],[
     AC_MSG_ERROR([--with-selinux given, but selinux/selinux.h not found])
   ])
+
+  AC_CHECK_HEADER([selinux/label.h],[
+    save_LIBS="$LIBS"
+    AC_CHECK_LIB([selinux],[selabel_close],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_close not found in libselinux])])
+    AC_CHECK_LIB([selinux],[selabel_lookup_raw],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_lookup_raw not found in libselinux])])
+    AC_CHECK_LIB([selinux],[selabel_open],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_open not found in libselinux])])
+    LIBS="$save_LIBS"
+  ],[
+    AC_MSG_ERROR([--with-selinux given, but selinux/label.h not found])
+  ])
 ])
 
 AS_IF([test "$with_selinux" = yes],[