From: James Morris <jmorris@redhat.com>

The patch below fixes an error handling flaw, where we need to return a
Netfilter verdict from the function rather than a standard error code.



---

 security/selinux/hooks.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff -puN security/selinux/hooks.c~selinux-error-handling-fix security/selinux/hooks.c
--- 25/security/selinux/hooks.c~selinux-error-handling-fix	2004-02-14 23:19:37.000000000 -0800
+++ 25-akpm/security/selinux/hooks.c	2004-02-14 23:19:37.000000000 -0800
@@ -3179,8 +3179,9 @@ static unsigned int selinux_ip_postroute
 		
 	/* Fixme: this lookup is inefficient */
 	iph = skb->nh.iph;
-	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), &node_sid);
-	if (err)
+	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr),
+				&node_sid) ? NF_DROP : NF_ACCEPT;
+	if (err != NF_ACCEPT)
 		goto out;
 	
 	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,

_