From: Stephen Smalley <sds@epoch.ncsc.mil>

SELinux should just drop out the socket and netfilter hooks when that is
disabled.

The problem was introduced because of the fine-grained netlink patches,
which made the selinux_netlink_send/recv hook functions depend on
CONFIG_SECURITY_NETWORK but the netlink_send/recv hooks themselves are not
dependent on it.

Need to move selinux_netlink_send/recv back out of the conditional block,
and provide a static inline stub for selinux_nlmsg_perm if
CONFIG_SECURITY_NETWORK is not defined.

Signed-off-by:  Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/security/selinux/hooks.c |   51 ++++++++++++++++++++++-----------------
 1 files changed, 29 insertions(+), 22 deletions(-)

diff -puN security/selinux/hooks.c~selinux-config_security_network-build-fix security/selinux/hooks.c
--- 25/security/selinux/hooks.c~selinux-config_security_network-build-fix	2004-06-24 13:23:16.310856544 -0700
+++ 25-akpm/security/selinux/hooks.c	2004-06-24 13:23:16.316855632 -0700
@@ -3434,28 +3434,6 @@ out:
 	return err;
 }
 
-static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
-{
-	int err = 0;
-	
-	if (capable(CAP_NET_ADMIN))
-		cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
-	else
-		NETLINK_CB(skb).eff_cap = 0;
-	
-	if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
-		err = selinux_nlmsg_perm(sk, skb);
-	
-	return err;
-}
-
-static int selinux_netlink_recv(struct sk_buff *skb)
-{
-	if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
-		return -EPERM;
-	return 0;
-}
-
 #ifdef CONFIG_NETFILTER
 
 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
@@ -3591,8 +3569,37 @@ static unsigned int selinux_ipv6_postrou
 
 #endif	/* CONFIG_NETFILTER */
 
+#else
+
+static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
+{
+	return 0;
+}
+
 #endif	/* CONFIG_SECURITY_NETWORK */
 
+static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
+{
+	int err = 0;
+
+	if (capable(CAP_NET_ADMIN))
+		cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
+	else
+		NETLINK_CB(skb).eff_cap = 0;
+
+	if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
+		err = selinux_nlmsg_perm(sk, skb);
+
+	return err;
+}
+
+static int selinux_netlink_recv(struct sk_buff *skb)
+{
+	if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
+		return -EPERM;
+	return 0;
+}
+
 static int ipc_alloc_security(struct task_struct *task,
 			      struct kern_ipc_perm *perm,
 			      u16 sclass)
_