[LSM-IPSec]: Corrections to LSM-IPSec Nethooks

This patch contains two corrections to the LSM-IPsec Nethooks patches
previously applied.  

(1) free a security context on a failed insert via xfrm_user 
interface in xfrm_add_policy.  Memory leak.

(2) change the authorization of the allocation of a security context
in a xfrm_policy or xfrm_state from both relabelfrom and relabelto 
to setcontext.

Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 1 insertions, 7 deletions

diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c4d87d4dca7b..5b7776504e4c 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
          * Must be permitted to relabel from default socket type (process type)
          * to specified context
          */
-        rc = avc_has_perm(tsec->sid, tsec->sid,
-                          SECCLASS_ASSOCIATION,
-                          ASSOCIATION__RELABELFROM, NULL);
-        if (rc)
-                goto out;
-
         rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
                           SECCLASS_ASSOCIATION,
-                          ASSOCIATION__RELABELTO, NULL);
+                          ASSOCIATION__SETCONTEXT, NULL);
         if (rc)
                 goto out;