1 files changed, 15 insertions, 9 deletions

diff --git a/nss/makedb.c b/nss/makedb.c
index d3fc1c5af9..bcfa3c7e02 100644
--- a/nss/makedb.c
+++ b/nss/makedb.c
@@ -47,6 +47,7 @@
 
 /* SELinux support.  */
 #ifdef HAVE_SELINUX
+# include <selinux/label.h>
 # include <selinux/selinux.h>
 #endif
 
@@ -855,18 +856,13 @@ print_database (int fd)
 
 #ifdef HAVE_SELINUX
 
-/* security_context_t and matchpathcon (along with several other symbols) were
-   marked as deprecated by the SELinux API starting from version 3.1.  We use
-   them here, but should eventually switch to the newer API.  */
-DIAG_PUSH_NEEDS_COMMENT
-DIAG_IGNORE_NEEDS_COMMENT (10, "-Wdeprecated-declarations");
-
 static void
 set_file_creation_context (const char *outname, mode_t mode)
 {
   static int enabled;
   static int enforcing;
-  security_context_t ctx;
+  struct selabel_handle *label_hnd = NULL;
+  char* ctx;
 
   /* Check if SELinux is enabled, and remember. */
   if (enabled == 0)
@@ -878,9 +874,17 @@ set_file_creation_context (const char *outname, mode_t mode)
   if (enforcing == 0)
     enforcing = security_getenforce () ? 1 : -1;
 
+  /* Open the file contexts backend. */
+  label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+  if (!label_hnd)
+    {
+      error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
+	     gettext ("cannot initialize SELinux context"));
+      return;
+    }
   /* Determine the context which the file should have. */
   ctx = NULL;
-  if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
+  if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0)
     {
       if (setfscreatecon (ctx) != 0)
 	error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
@@ -889,8 +893,10 @@ set_file_creation_context (const char *outname, mode_t mode)
 
       freecon (ctx);
     }
+
+  /* Close the file contexts backend. */
+  selabel_close(label_hnd);
 }
-DIAG_POP_NEEDS_COMMENT
 
 static void
 reset_file_creation_context (void)