1 files changed, 5 insertions, 18 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b4e1ca021fc..8ffed9f2004 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4475,27 +4475,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         * from the sending socket, otherwise use the kernel's sid */
        sk = skb->sk;
        if (sk == NULL) {
-                switch (family) {
+                if (skb->skb_iif) {
-                case PF_INET:
+                        secmark_perm = PACKET__FORWARD_OUT;
-                        if (IPCB(skb)->flags & IPSKB_FORWARDED)
-                                secmark_perm = PACKET__FORWARD_OUT;
-                        else
-                                secmark_perm = PACKET__SEND;
-                        break;
-                case PF_INET6:
-                        if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
-                                secmark_perm = PACKET__FORWARD_OUT;
-                        else
-                                secmark_perm = PACKET__SEND;
-                        break;
-                default:
-                        return NF_DROP_ERR(-ECONNREFUSED);
-                }
-                if (secmark_perm == PACKET__FORWARD_OUT) {
                        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
                                return NF_DROP;
-                } else
+                } else {
+                        secmark_perm = PACKET__SEND;
                        peer_sid = SECINITSID_KERNEL;
+                }
        } else {
                struct sk_security_struct *sksec = sk->sk_security;
                peer_sid = sksec->sid;

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b4e1ca021fc..8ffed9f2004 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -4475,27 +4475,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4475	* from the sending socket, otherwise use the kernel's sid */	4475	* from the sending socket, otherwise use the kernel's sid */
4476	sk = skb->sk;	4476	sk = skb->sk;
4477	if (sk == NULL) {	4477	if (sk == NULL) {
4478	switch (family) {	4478	if (skb->skb_iif) {
4479	case PF_INET:	4479	secmark_perm = PACKET__FORWARD_OUT;
4480	if (IPCB(skb)->flags & IPSKB_FORWARDED)
4481	secmark_perm = PACKET__FORWARD_OUT;
4482	else
4483	secmark_perm = PACKET__SEND;
4484	break;
4485	case PF_INET6:
4486	if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4487	secmark_perm = PACKET__FORWARD_OUT;
4488	else
4489	secmark_perm = PACKET__SEND;
4490	break;
4491	default:
4492	return NF_DROP_ERR(-ECONNREFUSED);
4493	}
4494	if (secmark_perm == PACKET__FORWARD_OUT) {
4495	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))	4480	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4496	return NF_DROP;	4481	return NF_DROP;
4497	} else	4482	} else {
		4483	secmark_perm = PACKET__SEND;
4498	peer_sid = SECINITSID_KERNEL;	4484	peer_sid = SECINITSID_KERNEL;
		4485	}
4499	} else {	4486	} else {
4500	struct sk_security_struct *sksec = sk->sk_security;	4487	struct sk_security_struct *sksec = sk->sk_security;
4501	peer_sid = sksec->sid;	4488	peer_sid = sksec->sid;