1 files changed, 3 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dbeaa783b2a9..df30a7555d8a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
                                       u16 family)
 {
-        int err;
+        int err = 0;
        struct sk_security_struct *sksec = sk->sk_security;
        u32 peer_sid;
        u32 sk_sid = sksec->sid;
@@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
        if (selinux_compat_net)
                err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
                                                           family, addrp);
-        else
+        else if (selinux_secmark_enabled())
                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
                                   PACKET__RECV, &ad);
        if (err)
@@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
                                                         &ad, family, addrp))
                        return NF_DROP;
-        } else {
+        } else if (selinux_secmark_enabled()) {
                if (avc_has_perm(sksec->sid, skb->secmark,
                                 SECCLASS_PACKET, PACKET__SEND, &ad))
                        return NF_DROP;

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dbeaa783b2a9..df30a7555d8a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4185	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,	4185	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4186	u16 family)	4186	u16 family)
4187	{	4187	{
4188	int err;	4188	int err = 0;
4189	struct sk_security_struct *sksec = sk->sk_security;	4189	struct sk_security_struct *sksec = sk->sk_security;
4190	u32 peer_sid;	4190	u32 peer_sid;
4191	u32 sk_sid = sksec->sid;	4191	u32 sk_sid = sksec->sid;
@@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4202	if (selinux_compat_net)	4202	if (selinux_compat_net)
4203	err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,	4203	err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4204	family, addrp);	4204	family, addrp);
4205	else	4205	else if (selinux_secmark_enabled())
4206	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,	4206	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4207	PACKET__RECV, &ad);	4207	PACKET__RECV, &ad);
4208	if (err)	4208	if (err)
@@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4705	if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,	4705	if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4706	&ad, family, addrp))	4706	&ad, family, addrp))
4707	return NF_DROP;	4707	return NF_DROP;
4708	} else {	4708	} else if (selinux_secmark_enabled()) {
4709	if (avc_has_perm(sksec->sid, skb->secmark,	4709	if (avc_has_perm(sksec->sid, skb->secmark,
4710	SECCLASS_PACKET, PACKET__SEND, &ad))	4710	SECCLASS_PACKET, PACKET__SEND, &ad))
4711	return NF_DROP;	4711	return NF_DROP;