SELinux: Better integration between peer labeling subsystems

Rework the handling of network peer labels so that the different peer labeling
subsystems work better together.  This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer labels.
As part of this work the inbound packet permission check code has been heavily
modified to handle both the old and new behavior in as sane a fashion as
possible.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 1 insertions, 1 deletions

diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 95fb5ec17354..c6c2bb4ebacc 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -113,8 +113,8 @@ struct sk_security_struct {
         struct sock *sk;                /* back pointer to sk object */
         u32 sid;                        /* SID of this object */
         u32 peer_sid;                   /* SID of peer */
-#ifdef CONFIG_NETLABEL
         u16 sclass;                     /* sock security class */
+#ifdef CONFIG_NETLABEL
         enum {                          /* NetLabel state */
                 NLBL_UNSET = 0,
                 NLBL_REQUIRE,