selinux: mark both IPv4 and IPv6 accepted connection sockets as labeled

gtrentalancia · pcmoore · commit a3422eb4facd · 2024-08-28T11:48:07.000-04:00
The current partial labeling was introduced in 389fb80 ("netlabel: Label incoming TCP connections correctly in SELinux") due to the fact that IPv6 labeling was not supported yet at the time. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> [PM: properly format the referenced commit ID, adjust subject] Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
@@ -359,7 +359,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
 {
 	struct sk_security_struct *sksec = sk->sk_security;
 
-	if (family == PF_INET)
+	if (family == PF_INET || family == PF_INET6)
 		sksec->nlbl_state = NLBL_LABELED;
 	else
 		sksec->nlbl_state = NLBL_UNSET;

Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)`
`359`	`359`	`{`
`360`	`360`	`struct sk_security_struct *sksec = sk->sk_security;`
`361`	`361`
`362`		`- if (family == PF_INET)`
	`362`	`+ if (family == PF_INET \|\| family == PF_INET6)`
`363`	`363`	`sksec->nlbl_state = NLBL_LABELED;`
`364`	`364`	`else`
`365`	`365`	`sksec->nlbl_state = NLBL_UNSET;`