From: Stephen Smalley SELinux should just drop out the socket and netfilter hooks when that is disabled. The problem was introduced because of the fine-grained netlink patches, which made the selinux_netlink_send/recv hook functions depend on CONFIG_SECURITY_NETWORK but the netlink_send/recv hooks themselves are not dependent on it. Need to move selinux_netlink_send/recv back out of the conditional block, and provide a static inline stub for selinux_nlmsg_perm if CONFIG_SECURITY_NETWORK is not defined. Signed-off-by: Stephen Smalley Signed-off-by: Andrew Morton --- 25-akpm/security/selinux/hooks.c | 51 ++++++++++++++++++++++----------------- 1 files changed, 29 insertions(+), 22 deletions(-) diff -puN security/selinux/hooks.c~selinux-config_security_network-build-fix security/selinux/hooks.c --- 25/security/selinux/hooks.c~selinux-config_security_network-build-fix 2004-06-24 13:23:16.310856544 -0700 +++ 25-akpm/security/selinux/hooks.c 2004-06-24 13:23:16.316855632 -0700 @@ -3434,28 +3434,6 @@ out: return err; } -static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) -{ - int err = 0; - - if (capable(CAP_NET_ADMIN)) - cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); - else - NETLINK_CB(skb).eff_cap = 0; - - if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) - err = selinux_nlmsg_perm(sk, skb); - - return err; -} - -static int selinux_netlink_recv(struct sk_buff *skb) -{ - if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) - return -EPERM; - return 0; -} - #ifdef CONFIG_NETFILTER static unsigned int selinux_ip_postroute_last(unsigned int hooknum, @@ -3591,8 +3569,37 @@ static unsigned int selinux_ipv6_postrou #endif /* CONFIG_NETFILTER */ +#else + +static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) +{ + return 0; +} + #endif /* CONFIG_SECURITY_NETWORK */ +static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) +{ + int err = 0; + + if (capable(CAP_NET_ADMIN)) + cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); + else + NETLINK_CB(skb).eff_cap = 0; + + if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) + err = selinux_nlmsg_perm(sk, skb); + + return err; +} + +static int selinux_netlink_recv(struct sk_buff *skb) +{ + if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) + return -EPERM; + return 0; +} + static int ipc_alloc_security(struct task_struct *task, struct kern_ipc_perm *perm, u16 sclass) _