157678 – ssh and ssh-keygen are needlessly linked with libselinux

Bug 157678 - ssh and ssh-keygen are needlessly linked with libselinux

Summary: ssh and ssh-keygen are needlessly linked with libselinux

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-05-13 17:42 UTC by Russell Coker
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	openssh-4.0p1-3
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-05-16 18:30:29 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Russell Coker 2005-05-13 17:42:30 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
The ssh client and ssh-keygen do not have any SE Linux specific functionality  
and do not need to be linked to libselinux. 
 
The patch below removes this needless linking which as well as slightly 
reducing the program size and startup time also stops ssh-keygen from 
performing some operations that are not permitted by SE Linux policy. 
 
diff -rup openssh-4.0p1.orig/configure.ac openssh-4.0p1/configure.ac 
--- openssh-4.0p1.orig/configure.ac	2005-05-14 03:23:53.000000000 +1000 
+++ openssh-4.0p1/configure.ac	2005-05-14 03:27:34.000000000 +1000 
@@ -2376,15 +2376,17 @@ int main() 
  
 # Check whether user wants SELinux support 
 SELINUX_MSG="no" 
+SELIBS="" 
 AC_ARG_WITH(selinux, 
 	[  --with-selinux   Enable SELinux support], 
 	[ if test "x$withval" != "xno" ; then 
 		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux 
support.]) 
 		SELINUX_MSG="yes" 
 		AC_CHECK_HEADERS(selinux.h) 
-		LIBS="$LIBS -lselinux" 
+		SELIBS=-lselinux 
 	fi 
 	]) 
+AC_SUBST(SELIBS) 
  
 # Check whether user wants Kerberos 5 support 
 KRB5_MSG="no" 
diff -rup openssh-4.0p1.orig/Makefile.in openssh-4.0p1/Makefile.in 
--- openssh-4.0p1.orig/Makefile.in	2005-05-14 03:23:53.000000000 +1000 
+++ openssh-4.0p1/Makefile.in	2005-05-14 03:28:16.000000000 +1000 
@@ -43,6 +43,7 @@ LD=@LD@ 
 CFLAGS=@CFLAGS@ 
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ 
 LIBS=@LIBS@ 
+SELIBS=@SELIBS@ 
 LIBEDIT=@LIBEDIT@ 
 LIBPAM=@LIBPAM@ 
 LIBWRAP=@LIBWRAP@ 
@@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS 
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
  
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS) 
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) 
$(LIBPAM) $(LIBS) 
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) 
$(LIBPAM) $(LIBS) $(SELIBS) 
  
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o 
 	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat 
$(LIBS) 
 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
run ldd on ssh and observe that it is linked to libselinux. 

Additional info:

Comment 1 Tomas Mraz 2005-05-16 18:30:29 UTC

Fixed, thank you.

Note You need to log in before you can comment on or make changes to this bug.