From 6679943f9419483d119b9be2fcc166c381fa6cbc Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Tue, 30 Nov 2010 18:22:54 -0700
Subject: [PATCH] selinux: avoid memory overhead of matchpathcon

https://bugzilla.redhat.com/show_bug.cgi?id=658657

* src/security/security_selinux.c
(SELinuxRestoreSecurityFileLabel): Use selabel_lookup instead of
matchpathcon.
Suggested by Daniel Walsh.
---
 src/security/security_selinux.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2a45172071..37539c262d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -14,6 +14,7 @@
  */
 #include <config.h>
 #include <selinux/selinux.h>
+#include <selinux/label.h>
 #include <selinux/context.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -362,6 +363,7 @@ SELinuxRestoreSecurityFileLabel(const char *path)
 {
     struct stat buf;
     security_context_t fcon = NULL;
+    struct selabel_handle *handle = NULL;
     int rc = -1;
     char *newpath = NULL;
     char ebuf[1024];
@@ -380,14 +382,16 @@ SELinuxRestoreSecurityFileLabel(const char *path)
         goto err;
     }
 
-    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0)  {
-        rc = SELinuxSetFilecon(newpath, fcon);
+    if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL ||
+        selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) {
+        VIR_WARN("cannot lookup default selinux label for %s", newpath);
     } else {
-        VIR_WARN("cannot lookup default selinux label for %s",
-                 newpath);
+        rc = SELinuxSetFilecon(newpath, fcon);
     }
 
 err:
+    if (handle)
+        selabel_close(handle);
     freecon(fcon);
     VIR_FREE(newpath);
     return rc;