From: Paul Moore <pmoore@redhat.com>
Date: Wed, 3 Sep 2014 14:51:59 +0000 (-0400)
Subject: selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute()
X-Git-Tag: v4.14-rc1~6293^2^2~7
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a7a91a1928fe69cc98814cb746d5171ae14d757e;p=platform%2Fkernel%2Flinux-rpi.git

selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute()

A previous commit c0828e50485932b7e019df377a6b0a8d1ebd3080 ("selinux:
process labeled IPsec TCP SYN-ACK packets properly in
selinux_ip_postroute()") mistakenly left out a 'break' from a switch
statement which caused problems with IPv6 traffic.

Thanks to Florian Westphal for reporting and debugging the issue.

Reported-by: Florian Westphal <fwestpha@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6c90d49..e1e0827 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 			case PF_INET6:
 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
 					return NF_ACCEPT;
+				break;
 			default:
 				return NF_DROP_ERR(-ECONNREFUSED);
 			}