selinux: avoid memory overhead of matchpathcon

https://bugzilla.redhat.com/show_bug.cgi?id=658657

* src/security/security_selinux.c
(SELinuxRestoreSecurityFileLabel): Use selabel_lookup instead of
matchpathcon.
Suggested by Daniel Walsh.

src/security/security_selinux.c

@@ -14,6 +14,7 @@
  */
 #include <config.h>
 #include <selinux/selinux.h>
+#include <selinux/label.h>
 #include <selinux/context.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -362,6 +363,7 @@ SELinuxRestoreSecurityFileLabel(const char *path)
 {
     struct stat buf;
     security_context_t fcon = NULL;
+    struct selabel_handle *handle = NULL;
     int rc = -1;
     char *newpath = NULL;
     char ebuf[1024];
@@ -380,14 +382,16 @@ SELinuxRestoreSecurityFileLabel(const char *path)
         goto err;
     }
 
-    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0)  {
-        rc = SELinuxSetFilecon(newpath, fcon);
+    if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL ||
+        selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) {
+        VIR_WARN("cannot lookup default selinux label for %s", newpath);
     } else {
-        VIR_WARN("cannot lookup default selinux label for %s",
-                 newpath);
+        rc = SELinuxSetFilecon(newpath, fcon);
     }
 
 err:
+    if (handle)
+        selabel_close(handle);
     freecon(fcon);
     VIR_FREE(newpath);
     return rc;