SELinux: indicate fatal error in compat netfilter code

The SELinux ip postroute code indicates when policy rejected a packet and
passes the error back up the stack.  The compat code does not.  This patch
sends the same kind of error back up the stack in the compat code.

Based-on-patch-by: Paul Moore <[email protected]>
Signed-off-by: Eric Paris <[email protected]>
Reviewed-by: Paul Moore <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f590fb8e91430909246213934b17970f827870c7..156ef93d6f7d8030e72b85822f13b597bfeb9736 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4524,11 +4524,11 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
        if (selinux_secmark_enabled())
                if (avc_has_perm(sksec->sid, skb->secmark,
                                 SECCLASS_PACKET, PACKET__SEND, &ad))
-                       return NF_DROP;
+                       return NF_DROP_ERR(-ECONNREFUSED);
 
        if (selinux_policycap_netpeer)
                if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
-                       return NF_DROP;
+                       return NF_DROP_ERR(-ECONNREFUSED);
 
        return NF_ACCEPT;
 }