[DSE-Dev] Re: openssh packages with updated selinux patch
Aurelien Jarno
aurelien at aurel32.net
Tue Oct 24 13:38:57 UTC 2006
On Tue, Oct 24, 2006 at 12:19:59AM -0500, Manoj Srivastava wrote:
> On Tue, 24 Oct 2006 06:36:34 +0200, Aurelien Jarno <aurelien at aurel32.net> said:
>
> > Manoj Srivastava a écrit :
> >> Hi,
> >>
> >> I have created openssh packages with updated SELinux patches, this
> >> brings us in line with the new SELinux release. The patch is
> >> recorded in Bug#394795. The packages are available at:
> ....
> >> Please test these packages out. I would like to see the SELinux
> >> updates enter Etch, and would be happy to do an NMU, if desired.
>
> > With your patch, sshd is unconditionally linked with
> > libselinux. This breaks debian-installer on architectures using ssh
> > for the installation, and also non-Linux architectures.
>
> No, it is not. The configure patch:
> +# Check whether user wants SELinux support
> +SELINUX_MSG="no"
> +LIBSELINUX=""
> +AC_ARG_WITH(selinux,
> + [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support],
> + [ if test "x$withval" != "xno" ; then
> + if test "x$withval" != "xyes"; then
> + CPPFLAGS="$CPPFLAGS -I${withval}/include"
> + if test -n "${need_dash_r}"; then
> + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
> + else
> + LDFLAGS="-L${withval}/lib ${LDFLAGS}"
> + fi
> + fi
> + AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
> + SELINUX_MSG="yes"
> + AC_CHECK_HEADERS(selinux.h)
> + LIBSELINUX="-lselinux"
> + fi
> + ])
> +AC_SUBST(LIBSELINUX)
> +
> ensures that LIBSELINUX expands to -lselinux only on machines where
> it is available, not otherwise.
>
> Unless you are saying that the configure.ac patch is broken,
> in which case please supply a log of the regenerated configure script
> showing that it fails.
>
I don't say the configure.ac patch is broken, I say the patch as a whole
is broken. After a few searches it seems the problem is in Makefile.in:
[bode:/tmp/openssh-4.3p2]$ grep LIBSELINUX Makefile.in
LIBSELINUX=-lselinux
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
[bode:/tmp/openssh-4.3p2]$
I can confirm that the resulting udeb package is linked with libselinux,
even if selinux support is disabled for the udeb pass:
[anguille:/tmp/openssh]$ wget http://people.debian.org/~srivasta/packages/pool/o/openssh/openssh-server-udeb_4.3p2-5.1_i386.udeb
--15:35:39-- http://people.debian.org/~srivasta/packages/pool/o/openssh/openssh-server-udeb_4.3p2-5.1_i386.udeb
=> `openssh-server-udeb_4.3p2-5.1_i386.udeb'
Résolution de people.debian.org... 192.25.206.10
Connexion vers people.debian.org|192.25.206.10|:80...connecté.
requête HTTP transmise, en attente de la réponse...200 OK
Longueur: 160 022 (156K) [text/plain]
100%[====================================================================================================>] 160 022 183.79K/s
15:35:40 (183.36 KB/s) - « openssh-server-udeb_4.3p2-5.1_i386.udeb » sauvegardé [160022/160022]
[anguille:/tmp/openssh]$ dpkg -x openssh-server-udeb_4.3p2-5.1_i386.udeb .
[anguille:/tmp/openssh]$ ldd usr/sbin/sshd
linux-gate.so.1 => (0xffffe000)
libselinux.so.1 => /lib/libselinux.so.1 (0xa7ef0000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xa7edd000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xa7da2000)
libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xa7d9e000)
libz.so.1 => /usr/lib/libz.so.1 (0xa7d8a000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xa7d5c000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xa7c2b000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xa7c27000)
libsepol.so.1 => /lib/libsepol.so.1 (0xa7be6000)
/lib/ld-linux.so.2 (0xa7f24000)
[anguille:/tmp/openssh]$
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aurel32 at debian.org | aurelien at aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
More information about the SELinux-devel
mailing list