1 files changed, 2 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 853b58c8b2cb..dbeaa783b2a9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4735,7 +4735,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         * as fast and as clean as possible. */
        if (selinux_compat_net || !selinux_policycap_netpeer)
                return selinux_ip_postroute_compat(skb, ifindex, family);
+#ifdef CONFIG_XFRM
        /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
         * packet transformation so allow the packet to pass without any checks
         * since we'll have another chance to perform access control checks
@@ -4744,7 +4744,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         *       is NULL, in this case go ahead and apply access control. */
        if (skb->dst != NULL && skb->dst->xfrm != NULL)
                return NF_ACCEPT;
+#endif
        secmark_active = selinux_secmark_enabled();
        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
        if (!secmark_active && !peerlbl_active)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 853b58c8b2cb..dbeaa783b2a9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -4735,7 +4735,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4735	* as fast and as clean as possible. */	4735	* as fast and as clean as possible. */
4736	if (selinux_compat_net \|\| !selinux_policycap_netpeer)	4736	if (selinux_compat_net \|\| !selinux_policycap_netpeer)
4737	return selinux_ip_postroute_compat(skb, ifindex, family);	4737	return selinux_ip_postroute_compat(skb, ifindex, family);
4738		4738	#ifdef CONFIG_XFRM
4739	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec	4739	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4740	* packet transformation so allow the packet to pass without any checks	4740	* packet transformation so allow the packet to pass without any checks
4741	* since we'll have another chance to perform access control checks	4741	* since we'll have another chance to perform access control checks
@@ -4744,7 +4744,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4744	* is NULL, in this case go ahead and apply access control. */	4744	* is NULL, in this case go ahead and apply access control. */
4745	if (skb->dst != NULL && skb->dst->xfrm != NULL)	4745	if (skb->dst != NULL && skb->dst->xfrm != NULL)
4746	return NF_ACCEPT;	4746	return NF_ACCEPT;
4747		4747	#endif
4748	secmark_active = selinux_secmark_enabled();	4748	secmark_active = selinux_secmark_enabled();
4749	peerlbl_active = netlbl_enabled() \|\| selinux_xfrm_enabled();	4749	peerlbl_active = netlbl_enabled() \|\| selinux_xfrm_enabled();
4750	if (!secmark_active && !peerlbl_active)	4750	if (!secmark_active && !peerlbl_active)