From 151e1562e40330e66e76d00ffd9c1cb8a8e6502d Mon Sep 17 00:00:00 2001
From: Trent Jaeger <tjaeger@cse.psu.edu>
Date: Fri, 6 Jan 2006 13:22:39 -0800
Subject: [PATCH] --- yaml --- r: 16667 b: refs/heads/master c:
 5f8ac64b15172c7ced7d7990eb28342092bc751b h: refs/heads/master i:   16665:
 2be0c1c64c2caa7bae9c0a4d444da489122c3cb6   16663:
 0a6c2ab444002f8c70d5a10c15f09d810c7f8562 v: v3

---
 [refs]                                             | 2 +-
 trunk/net/xfrm/xfrm_user.c                         | 1 +
 trunk/security/selinux/include/av_perm_to_string.h | 3 +--
 trunk/security/selinux/include/av_permissions.h    | 3 +--
 trunk/security/selinux/xfrm.c                      | 8 +-------
 5 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/[refs] b/[refs]
index cb9e8574bbd6..839330dee7be 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 69549ddd2f894c4cead50ee2b60cc02990c389ad
+refs/heads/master: 5f8ac64b15172c7ced7d7990eb28342092bc751b
diff --git a/trunk/net/xfrm/xfrm_user.c b/trunk/net/xfrm/xfrm_user.c
index 92e2b804c606..ac87a09ba83e 100644
--- a/trunk/net/xfrm/xfrm_user.c
+++ b/trunk/net/xfrm/xfrm_user.c
@@ -802,6 +802,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
 	excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
 	err = xfrm_policy_insert(p->dir, xp, excl);
 	if (err) {
+		security_xfrm_policy_free(xp);
 		kfree(xp);
 		return err;
 	}
diff --git a/trunk/security/selinux/include/av_perm_to_string.h b/trunk/security/selinux/include/av_perm_to_string.h
index 71aeb12f07c8..591e98d9315a 100644
--- a/trunk/security/selinux/include/av_perm_to_string.h
+++ b/trunk/security/selinux/include/av_perm_to_string.h
@@ -238,5 +238,4 @@
    S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
diff --git a/trunk/security/selinux/include/av_permissions.h b/trunk/security/selinux/include/av_permissions.h
index d1d0996049e3..d7f02edf3930 100644
--- a/trunk/security/selinux/include/av_permissions.h
+++ b/trunk/security/selinux/include/av_permissions.h
@@ -908,8 +908,7 @@
 
 #define ASSOCIATION__SENDTO                       0x00000001UL
 #define ASSOCIATION__RECVFROM                     0x00000002UL
-#define ASSOCIATION__RELABELFROM                  0x00000004UL
-#define ASSOCIATION__RELABELTO                    0x00000008UL
+#define ASSOCIATION__SETCONTEXT                   0x00000004UL
 
 #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
diff --git a/trunk/security/selinux/xfrm.c b/trunk/security/selinux/xfrm.c
index c4d87d4dca7b..5b7776504e4c 100644
--- a/trunk/security/selinux/xfrm.c
+++ b/trunk/security/selinux/xfrm.c
@@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
 	 * Must be permitted to relabel from default socket type (process type)
 	 * to specified context
 	 */
-	rc = avc_has_perm(tsec->sid, tsec->sid,
-			  SECCLASS_ASSOCIATION,
-			  ASSOCIATION__RELABELFROM, NULL);
-	if (rc)
-		goto out;
-
 	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
 			  SECCLASS_ASSOCIATION,
-			  ASSOCIATION__RELABELTO, NULL);
+			  ASSOCIATION__SETCONTEXT, NULL);
 	if (rc)
 		goto out;