From a1657400dd987bbae3208ebe85e658c2a36cbccc Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 10 Aug 2012 22:38:17 +0200
Subject: [PATCH] Don't discard HBAC rule processing result if SELinux is on

Resolves: rhbz#846792 (CVE-2012-3462)
---
 ...-phase-if-HBAC-does-not-return-PAM_S.patch | 24 +++++++++++++++++++
 sssd.spec                                     |  7 +++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch

diff --git a/0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch b/0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch
new file mode 100644
index 0000000..d96d1a6
--- /dev/null
+++ b/0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch
@@ -0,0 +1,24 @@
+From ffcf27b0b773b580289d596f796aaf86c45ba920 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 8 Aug 2012 19:26:35 +0200
+Subject: [PATCH] Abort PAM access phase if HBAC does not return PAM_SUCCESS
+
+---
+ src/providers/data_provider_be.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index 2e4ee0754e62a48248cc7537243705b3a1004502..dcce69ca42fe4b8f216a69a6877e0aeaf20872cc 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -793,6 +793,7 @@ static void be_pam_handler_callback(struct be_req *req,
+     pd = talloc_get_type(req->req_data, struct pam_data);
+ 
+     if (pd->cmd == SSS_PAM_ACCT_MGMT &&
++        pd->pam_status == PAM_SUCCESS &&
+         req->phase == REQ_PHASE_ACCESS &&
+         dp_err_type == DP_ERR_OK) {
+         if (!becli->bectx->bet_info[BET_SELINUX].bet_ops) {
+-- 
+1.7.11.2
+
diff --git a/sssd.spec b/sssd.spec
index 38e9c59..0f53155 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -16,7 +16,7 @@
 
 Name: sssd
 Version: 1.9.0
-Release: 14%{?dist}.beta6
+Release: 15%{?dist}.beta6
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -25,6 +25,7 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta6.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
+Patch0001:  0001-Abort-PAM-access-phase-if-HBAC-does-not-return-PAM_S.patch
 
 
 ### Dependencies ###
@@ -514,6 +515,10 @@ fi
 %postun -n libsss_sudo -p /sbin/ldconfig
 
 %changelog
+* Fri Aug 10 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.9.0-14.beta6
+- Don't discard HBAC rule processing result if SELinux is on
+  Resolves: rhbz#846792 (CVE-2012-3462)
+
 * Thu Aug 02 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.9.0-13.beta6
 - New upstream release 1.9.0 beta 6
 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6