Don't discard HBAC rule processing result if SELinux is on

Resolves: rhbz#846792 (CVE-2012-3462)
2012-08-10 22:38:17 +02:00 · 2012-08-10 22:38:17 +02:00 · a1657400dd
commit a1657400dd
parent 292c0dcaf2
2 changed files with 30 additions and 1 deletions
--- a/0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch
+++ b/0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch
@ -0,0 +1,24 @@
+From ffcf27b0b773b580289d596f796aaf86c45ba920 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 8 Aug 2012 19:26:35 +0200
+Subject: [PATCH] Abort PAM access phase if HBAC does not return PAM_SUCCESS
+
+---
+ src/providers/data_provider_be.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index 2e4ee0754e62a48248cc7537243705b3a1004502..dcce69ca42fe4b8f216a69a6877e0aeaf20872cc 100644
+--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
+@@ -793,6 +793,7 @@ static void be_pam_handler_callback(struct be_req *req,
+     pd = talloc_get_type(req->req_data, struct pam_data);
+ 
+     if (pd->cmd == SSS_PAM_ACCT_MGMT &&
+        pd->pam_status == PAM_SUCCESS &&
+         req->phase == REQ_PHASE_ACCESS &&
+         dp_err_type == DP_ERR_OK) {
+         if (!becli->bectx->bet_info[BET_SELINUX].bet_ops) {
+-- 
+1.7.11.2
+
--- a/sssd.spec
+++ b/sssd.spec
@ -16,7 +16,7 @@

 Name: sssd
 Version: 1.9.0
-Release: 14%{?dist}.beta6
+Release: 15%{?dist}.beta6
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -25,6 +25,7 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta6.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 ### Patches ###
+Patch0001:  0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch


 ### Dependencies ###
@ -514,6 +515,10 @@ fi
 %postun -n libsss_sudo -p /sbin/ldconfig

 %changelog
+* Fri Aug 10 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.9.0-14.beta6
+- Don't discard HBAC rule processing result if SELinux is on
+  Resolves: rhbz#846792 (CVE-2012-3462)
+
 * Thu Aug 02 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.9.0-13.beta6
 - New upstream release 1.9.0 beta 6
 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6