Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 157678

Summary: ssh and ssh-keygen are needlessly linked with libselinux
Product: [Fedora] Fedora Reporter: Russell Coker <rcoker>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-4.0p1-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-16 18:30:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Russell Coker 2005-05-13 17:42:30 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
The ssh client and ssh-keygen do not have any SE Linux specific functionality  
and do not need to be linked to libselinux. 
 
The patch below removes this needless linking which as well as slightly 
reducing the program size and startup time also stops ssh-keygen from 
performing some operations that are not permitted by SE Linux policy. 
 
diff -rup openssh-4.0p1.orig/configure.ac openssh-4.0p1/configure.ac 
--- openssh-4.0p1.orig/configure.ac	2005-05-14 03:23:53.000000000 +1000 
+++ openssh-4.0p1/configure.ac	2005-05-14 03:27:34.000000000 +1000 
@@ -2376,15 +2376,17 @@ int main() 
  
 # Check whether user wants SELinux support 
 SELINUX_MSG="no" 
+SELIBS="" 
 AC_ARG_WITH(selinux, 
 	[  --with-selinux   Enable SELinux support], 
 	[ if test "x$withval" != "xno" ; then 
 		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux 
support.]) 
 		SELINUX_MSG="yes" 
 		AC_CHECK_HEADERS(selinux.h) 
-		LIBS="$LIBS -lselinux" 
+		SELIBS=-lselinux 
 	fi 
 	]) 
+AC_SUBST(SELIBS) 
  
 # Check whether user wants Kerberos 5 support 
 KRB5_MSG="no" 
diff -rup openssh-4.0p1.orig/Makefile.in openssh-4.0p1/Makefile.in 
--- openssh-4.0p1.orig/Makefile.in	2005-05-14 03:23:53.000000000 +1000 
+++ openssh-4.0p1/Makefile.in	2005-05-14 03:28:16.000000000 +1000 
@@ -43,6 +43,7 @@ LD=@LD@ 
 CFLAGS=@CFLAGS@ 
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ 
 LIBS=@LIBS@ 
+SELIBS=@SELIBS@ 
 LIBEDIT=@LIBEDIT@ 
 LIBPAM=@LIBPAM@ 
 LIBWRAP=@LIBWRAP@ 
@@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS 
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
  
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS) 
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) 
$(LIBPAM) $(LIBS) 
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) 
$(LIBPAM) $(LIBS) $(SELIBS) 
  
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o 
 	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat 
$(LIBS) 
 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
run ldd on ssh and observe that it is linked to libselinux. 

Additional info:

Comment 1 Tomas Mraz 2005-05-16 18:30:29 UTC
Fixed, thank you.