summaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2014-09-03 16:51:59 +0200
committerPaul Moore <pmoore@redhat.com>2014-09-03 16:51:59 +0200
commita7a91a1928fe69cc98814cb746d5171ae14d757e (patch)
treeb7a68a5bc2002ccf0980d84dd1356876591107be /security/selinux
parentselinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. (diff)
downloadlinux-a7a91a1928fe69cc98814cb746d5171ae14d757e.tar.xz
linux-a7a91a1928fe69cc98814cb746d5171ae14d757e.zip
selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute()
A previous commit c0828e50485932b7e019df377a6b0a8d1ebd3080 ("selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()") mistakenly left out a 'break' from a switch statement which caused problems with IPv6 traffic. Thanks to Florian Westphal for reporting and debugging the issue. Reported-by: Florian Westphal <fwestpha@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6c90d491fab4..e1e082796a49 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
case PF_INET6:
if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
return NF_ACCEPT;
+ break;
default:
return NF_DROP_ERR(-ECONNREFUSED);
}