A few issues:

1) The following patch is needed to ensure that the error value is 
propagated back, that the err is initialized and that you don't try and 
xfrm_pol_put() an uninitialized xp.


diff -purN -X dontdiff linux-2.6.12-rc4.w/net/key/af_key.c linux-2.6.12-rc4.x/net/key/af_key.c

--- linux-2.6.12-rc4.w/net/key/af_key.c	2005-05-29 01:30:08.000000000 -0400
+++ linux-2.6.12-rc4.x/net/key/af_key.c	2005-05-29 01:54:17.751327592 -0400

@@ -2098,8 +2098,9 @@ static int pfkey_spddelete(struct sock *
 	sec_ctx = (struct sadb_x_sec_ctx *) ext_hdrs[SADB_X_EXT_SEC_CTX-1];
 	memcpy(&tmp.selector, &sel, sizeof(struct xfrm_selector));
 	if (sec_ctx != NULL) {
-		if (security_xfrm_policy_alloc(&tmp, sec_ctx))
-			goto out;
+		err = security_xfrm_policy_alloc(&tmp, sec_ctx);
+		if (err)
+			return err;
 	}
 
 	xp = xfrm_policy_bysel(pol->sadb_x_policy_dir-1, &tmp.selector, 1);

2) Compiler warnings:

You pass a 
struct xfrm_user_sec_ctx to security_xfrm_policy_alloc() instead of the 
struct sadb_x_sec_ctx defined for that function:

net/xfrm/xfrm_user.c:223
net/xfrm/xfrm_user.c:651
net/xfrm/xfrm_user.c:939

This may seem to work on some systems because the structs are the same, 
but one is packed and it's bad form in any case.

Not sure what the best way is to fix this.  xfrm is native, so any penalty 
should likely go to pfkey.


Also,

net/xfrm/xfrm_user.c:1241: warning: unused variable `ctx'


3)  security/selinux/nethooks.c

The name of this file is potentially misleading, it does not contain all 
of the SELinux networking hooks, just the xfrm related code.  I'd suggest 
calling it security/selinux/xfrm.c.  It also has no author/copyright info, 
or a GPL notice (look at the other files there).


(More to come).


- James
-- 
James Morris
[off-list ref]