From 8761c43b8cfdb6aa4d69d3b9a3d5f94a52945cde Mon Sep 17 00:00:00 2001
From: Paul Moore <pmoore@redhat.com>
Date: Mon, 9 Dec 2013 16:11:53 -0500
Subject: [PATCH] selinux: process labeled IPsec TCP SYN-ACK packets properly
 in selinux_ip_postroute()

commit 5c6c26813a209e7075baf908e3ad81c1a9d389e8 upstream.

Due to difficulty in arriving at the proper security label for
TCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets
while/before they are undergoing XFRM transforms instead of waiting
until afterwards so that we can determine the correct security label.

Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Signed-off-by: Paul Moore <pmoore@redhat.com>
[bwh: Backported to 3.2:
 s/selinux_peerlbl_enabled()/netlbl_enabled() || selinux_xfrm_enabled()/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Reading git-format-patch failed