Bug 1518785

Summary: [F28 change] sslh should not require tcp_wrappers
Product: [Fedora] Fedora Reporter: Jakub Jelen <jjelen>
Component: sslhAssignee: James Hogarth <james.hogarth>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: james.hogarth
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-01 10:56:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1495181, 1596070    

Description Jakub Jelen 2017-11-29 14:59:15 UTC 
As announced earlier this year, we plan to deprecate TCP wrappers out of Fedora services in a single release (Fedora 28) to avoid user confusion that some of the tools will be using it and some not.

For more information about the change or possible migration paths outside of the package itself, see the linked accepted Fedora 28 change.

This report is for a source package, that has "BuildRequires tcp_wrappers" in spec file and resulting packages depend on "libwrap.so.0". The changes to remove the dependency should be minimal, usually a configure switch, but let me know if you will need some assistance with the changes.

Additional info:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
Comment 1 James Hogarth 2017-11-29 15:08:43 UTC 
Thanks for the report, I'll adjust it tonight and carry out a fresh build in rawhide.

On a sidenote your change page has an example which does not follow best practice.

If you copy over the whole service file from /usr/lib/systemd/system to /etc/systemd/system then any bug fixes or new features added to the service file (security etc) will not be picked up.

The proper way is to do a systemd override ... in the case of your example just /etc/systemd/system/sshd@.service.d/tcp_override.conf

To override a ExecStart you need to do two lines:

ExecStart=
ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY

The reason for this is that a single ExecStart will just be executed as if there were multiple lines, but doing the blank one first "resets" the behaviour.