[DSE-Dev] Re: openssh packages with updated selinux patch

Aurelien Jarno aurelien at aurel32.net
Tue Oct 24 13:38:57 UTC 2006


On Tue, Oct 24, 2006 at 12:19:59AM -0500, Manoj Srivastava wrote:
> On Tue, 24 Oct 2006 06:36:34 +0200, Aurelien Jarno <aurelien at aurel32.net> said: 
> 
> > Manoj Srivastava a écrit :
> >> Hi,
> >> 
> >> I have created openssh packages with updated SELinux patches, this
> >> brings us in line with the new SELinux release. The patch is
> >> recorded in Bug#394795.  The packages are available at:
>  ....
> >> Please test these packages out. I would like to see the SELinux
> >> updates enter Etch, and would be happy to do an NMU, if desired.
> 
> > With your patch, sshd is unconditionally linked with
> > libselinux. This breaks debian-installer on architectures using ssh
> > for the installation, and also non-Linux architectures.
> 
>         No, it is not. The configure patch:
> +# Check whether user wants SELinux support
> +SELINUX_MSG="no"
> +LIBSELINUX=""
> +AC_ARG_WITH(selinux,
> +       [  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
> +       [ if test "x$withval" != "xno" ; then
> +               if test "x$withval" != "xyes"; then
> +                       CPPFLAGS="$CPPFLAGS -I${withval}/include"
> +                       if test -n "${need_dash_r}"; then
> +                               LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
> +                       else
> +                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"
> +                       fi
> +               fi 
> +               AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
> +               SELINUX_MSG="yes"
> +               AC_CHECK_HEADERS(selinux.h)
> +               LIBSELINUX="-lselinux"
> +       fi
> +       ])
> +AC_SUBST(LIBSELINUX)
> +
>  ensures that LIBSELINUX expands to -lselinux only on machines where
>  it is available, not otherwise.
> 
>         Unless you are saying that the configure.ac patch is broken,
>  in which case please supply a log of the regenerated configure script
>  showing that it fails.
> 

I don't say the configure.ac patch is broken, I say the patch as a whole
is broken. After a few searches it seems the problem is in Makefile.in:

[bode:/tmp/openssh-4.3p2]$ grep LIBSELINUX Makefile.in
LIBSELINUX=-lselinux
        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
[bode:/tmp/openssh-4.3p2]$

I can confirm that the resulting udeb package is linked with libselinux,
even if selinux support is disabled for the udeb pass:

[anguille:/tmp/openssh]$ wget http://people.debian.org/~srivasta/packages/pool/o/openssh/openssh-server-udeb_4.3p2-5.1_i386.udeb
--15:35:39--  http://people.debian.org/~srivasta/packages/pool/o/openssh/openssh-server-udeb_4.3p2-5.1_i386.udeb
           => `openssh-server-udeb_4.3p2-5.1_i386.udeb'
Résolution de people.debian.org... 192.25.206.10
Connexion vers people.debian.org|192.25.206.10|:80...connecté.
requête HTTP transmise, en attente de la réponse...200 OK
Longueur: 160 022 (156K) [text/plain]

100%[====================================================================================================>] 160 022      183.79K/s

15:35:40 (183.36 KB/s) - « openssh-server-udeb_4.3p2-5.1_i386.udeb » sauvegardé [160022/160022]

[anguille:/tmp/openssh]$ dpkg -x openssh-server-udeb_4.3p2-5.1_i386.udeb .
[anguille:/tmp/openssh]$ ldd usr/sbin/sshd
        linux-gate.so.1 =>  (0xffffe000)
        libselinux.so.1 => /lib/libselinux.so.1 (0xa7ef0000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xa7edd000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xa7da2000)
        libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xa7d9e000)
        libz.so.1 => /usr/lib/libz.so.1 (0xa7d8a000)
        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xa7d5c000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xa7c2b000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xa7c27000)
        libsepol.so.1 => /lib/libsepol.so.1 (0xa7be6000)
        /lib/ld-linux.so.2 (0xa7f24000)
[anguille:/tmp/openssh]$

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32 at debian.org         | aurelien at aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net



More information about the SELinux-devel mailing list