[DSE-Dev] Re: openssh packages with updated selinux patch

Manoj Srivastava srivasta at debian.org
Tue Oct 24 21:10:40 UTC 2006 

> On Tue, Oct 24, 2006 at 12:19:59AM -0500, Manoj Srivastava wrote:
>> On Tue, 24 Oct 2006 06:36:34 +0200, Aurelien Jarno
>> <aurelien at aurel32.net> said:
>> 
>> > Manoj Srivastava a écrit :
>> >> Hi,
>> >> 
>> >> I have created openssh packages with updated SELinux patches,
>> >> this brings us in line with the new SELinux release. The patch
>> >> is recorded in Bug#394795.  The packages are available at:
>> ....
>> >> Please test these packages out. I would like to see the SELinux
>> >> updates enter Etch, and would be happy to do an NMU, if desired.
>> 
>> > With your patch, sshd is unconditionally linked with
>> > libselinux. This breaks debian-installer on architectures using
>> > ssh for the installation, and also non-Linux architectures.
>> 
>> No, it is not. The configure patch:

>> ensures that LIBSELINUX expands to -lselinux only on machines where
>> it is available, not otherwise.
>> 
>> Unless you are saying that the configure.ac patch is broken, in
>> which case please supply a log of the regenerated configure script
>> showing that it fails.
>> 

> I don't say the configure.ac patch is broken, I say the patch as a
> whole is broken.

        Then you have not actually applied the patch in the BTS. (If
 you used the .dsc on people.d.o, please refresh, since I hadn't meant
 that .dsc to be public -- it is an older version used for testing). I
 have now replaced it with a real version based on the patch.

> After a few searches it seems the problem is in
> Makefile.in:

        And that is proof.

> [bode:/tmp/openssh-4.3p2]$ grep LIBSELINUX Makefile.in
> LIBSELINUX=-lselinux
>         $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat
>         $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
> [bode:/tmp/openssh-4.3p2]$

> I can confirm that the resulting udeb package is linked with
> libselinux, even if selinux support is disabled for the udeb pass:

        With that Makefile.in, sure. Here is what is in the patch
 submitted:

======================================================================
diff -uBbwr ../debian-current/openssh-4.3p2/Makefile.in openssh-4.3p2/Makefile.in
--- ../debian-current/openssh-4.3p2/Makefile.in 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/Makefile.in   2006-10-20 15:34:48.000000000 -0500
@@ -43,6 +43,7 @@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
+LIBSELINUX=@LIBSELINUX@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
@@ -136,7 +137,7 @@
        $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a        $(LIBCOMPAT) $(SSHDOBJS)
-       $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+       $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
        $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
======================================================================
        
        I now have a smaller configure.ac patch, which shows better
 what the improvement in configuration is:
======================================================================
diff -uBbwr ../debian-current/openssh-4.3p2/configure.ac openssh-4.3p2/configure.ac
--- ../debian-current/openssh-4.3p2/configure.ac        2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/configure.ac  2006-10-24 15:25:30.000000000 -0500
@@ -2986,15 +2986,25 @@
 
 # Check whether user wants SELinux support
 SELINUX_MSG="no"
+LIBSELINUX=""
 AC_ARG_WITH(selinux,
-       [  --with-selinux          Enable SELinux support],
+       [  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
        [ if test "x$withval" != "xno" ; then
+               if test "x$withval" != "xyes"; then
+                       CPPFLAGS="$CPPFLAGS -I${withval}/include"
+                       if test -n "${need_dash_r}"; then
+                               LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                       else
+                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                       fi
+               fi 
                AC_DEFINE(WITH_SELINUX, 1, [Define if you want SELinux support.])
                SELINUX_MSG="yes"
                AC_CHECK_HEADERS(selinux/selinux.h)
-               LIBS="$LIBS -lselinux"
+               LIBSELINUX="-lselinux"
        fi
        ])
+AC_SUBST(LIBSELINUX)
 
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"

======================================================================

        manoj
-- 
"I not only use all the brains that I have, but all that I can
borrow." -Woodrow Wilson
Manoj Srivastava <srivasta at debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the SELinux-devel mailing list