From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko) Description of problem: The ssh client and ssh-keygen do not have any SE Linux specific functionality and do not need to be linked to libselinux. The patch below removes this needless linking which as well as slightly reducing the program size and startup time also stops ssh-keygen from performing some operations that are not permitted by SE Linux policy. diff -rup openssh-4.0p1.orig/configure.ac openssh-4.0p1/configure.ac --- openssh-4.0p1.orig/configure.ac 2005-05-14 03:23:53.000000000 +1000 +++ openssh-4.0p1/configure.ac 2005-05-14 03:27:34.000000000 +1000 @@ -2376,15 +2376,17 @@ int main() # Check whether user wants SELinux support SELINUX_MSG="no" +SELIBS="" AC_ARG_WITH(selinux, [ --with-selinux Enable SELinux support], [ if test "x$withval" != "xno" ; then AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) SELINUX_MSG="yes" AC_CHECK_HEADERS(selinux.h) - LIBS="$LIBS -lselinux" + SELIBS=-lselinux fi ]) +AC_SUBST(SELIBS) # Check whether user wants Kerberos 5 support KRB5_MSG="no" diff -rup openssh-4.0p1.orig/Makefile.in openssh-4.0p1/Makefile.in --- openssh-4.0p1.orig/Makefile.in 2005-05-14 03:23:53.000000000 +1000 +++ openssh-4.0p1/Makefile.in 2005-05-14 03:28:16.000000000 +1000 @@ -43,6 +43,7 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +SELIBS=@SELIBS@ LIBEDIT=@LIBEDIT@ LIBPAM=@LIBPAM@ LIBWRAP=@LIBWRAP@ @@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) $(SELIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: run ldd on ssh and observe that it is linked to libselinux. Additional info:
Fixed, thank you.