On Tue, 2010-11-23 at 11:28 -0500, Eric Paris wrote: > The SELinux ip postroute code indicates when policy rejected a packet and > passes the error back up the stack. The compat code does not. This patch > sends the same kind of error back up the stack in the compat code. > > Based-on-patch-by: Paul Moore <paul.moore@xxxxxx> > Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> Reviewed-by: Paul Moore <paul.moore@xxxxxx> > --- > > security/selinux/hooks.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index bd6dc16..dd1690f 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4529,11 +4529,11 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, > if (selinux_secmark_enabled()) > if (avc_has_perm(sksec->sid, skb->secmark, > SECCLASS_PACKET, PACKET__SEND, &ad)) > - return NF_DROP; > + return NF_DROP_ERR(-ECONNREFUSED); > > if (selinux_policycap_netpeer) > if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) > - return NF_DROP; > + return NF_DROP_ERR(-ECONNREFUSED); > > return NF_ACCEPT; > } > -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.