Bug 157678

Summary: ssh and ssh-keygen are needlessly linked with libselinux
Product: [Fedora] Fedora Reporter: Russell Coker <rcoker>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-4.0p1-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-16 18:30:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Russell Coker 2005-05-13 17:42:30 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
The ssh client and ssh-keygen do not have any SE Linux specific functionality  
and do not need to be linked to libselinux. 
 
The patch below removes this needless linking which as well as slightly 
reducing the program size and startup time also stops ssh-keygen from 
performing some operations that are not permitted by SE Linux policy. 
 
diff -rup openssh-4.0p1.orig/configure.ac openssh-4.0p1/configure.ac 
--- openssh-4.0p1.orig/configure.ac	2005-05-14 03:23:53.000000000 +1000 
+++ openssh-4.0p1/configure.ac	2005-05-14 03:27:34.000000000 +1000 
@@ -2376,15 +2376,17 @@ int main() 
  
 # Check whether user wants SELinux support 
 SELINUX_MSG="no" 
+SELIBS="" 
 AC_ARG_WITH(selinux, 
 	[  --with-selinux   Enable SELinux support], 
 	[ if test "x$withval" != "xno" ; then 
 		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux 
support.]) 
 		SELINUX_MSG="yes" 
 		AC_CHECK_HEADERS(selinux.h) 
-		LIBS="$LIBS -lselinux" 
+		SELIBS=-lselinux 
 	fi 
 	]) 
+AC_SUBST(SELIBS) 
  
 # Check whether user wants Kerberos 5 support 
 KRB5_MSG="no" 
diff -rup openssh-4.0p1.orig/Makefile.in openssh-4.0p1/Makefile.in 
--- openssh-4.0p1.orig/Makefile.in	2005-05-14 03:23:53.000000000 +1000 
+++ openssh-4.0p1/Makefile.in	2005-05-14 03:28:16.000000000 +1000 
@@ -43,6 +43,7 @@ LD=@LD@ 
 CFLAGS=@CFLAGS@ 
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ 
 LIBS=@LIBS@ 
+SELIBS=@SELIBS@ 
 LIBEDIT=@LIBEDIT@ 
 LIBPAM=@LIBPAM@ 
 LIBWRAP=@LIBWRAP@ 
@@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS 
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
  
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS) 
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) 
$(LIBPAM) $(LIBS) 
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) 
$(LIBPAM) $(LIBS) $(SELIBS) 
  
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o 
 	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat 
$(LIBS) 
 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
run ldd on ssh and observe that it is linked to libselinux. 

Additional info:
Comment 1 Tomas Mraz 2005-05-16 18:30:29 UTC 
Fixed, thank you.