Please consider adding this patch to allow openssh to work with SELinux
Created attachment 648 [details] SELinux patch
I was under the impression that this was going to be done using PAM modules?
Created attachment 1110 [details] Revised diff
Created attachment 1111 [details] Revised diff This is a revised diff, based on Daniel's patch but fixing a few memory leaks and delaing with both older and new libselinux
Comment on attachment 1111 [details] Revised diff >+LIBSELINUX=@LIBSELINUX@ [...] >+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) Instead of doing this, I think we ought to split $LIBS up differently: generic libs required for all programs, one for just the crypto libs and associated, one for sshd only. The latter could replace LIBPAM and LIBWRAP. We're now in the situation where we need it: libdl is either not needed, needed for libpam only or needed for everything crypto-related (for openssl-0.9.8*) and this is messy to represent with the current implementation. >+ if [ -x /sbin/restorecon ]; then >+ /sbin/restorecon $RSA1_KEY.pub >+ fi Is this a a valid thing to do, eg, if selinux is installed but disabled at runtime? Still need to look through the rest of the patch...
(In reply to comment #5) > Instead of doing this, I think we ought to split $LIBS up differently: generic > libs required for all programs, one for just the crypto libs and associated, > one for sshd only. The latter could replace LIBPAM and LIBWRAP. I agree, a $SSHDLIBS would be nicer. > >+ if [ -x /sbin/restorecon ]; then > >+ /sbin/restorecon $RSA1_KEY.pub > >+ fi > > Is this a a valid thing to do, eg, if selinux is installed but disabled at > runtime? Ubuntu does it in a couple of things in /etc/init.d unconditionally, though not for ssh in the current stable release. I think it just resets the extended silesystem attributes on the file, which are only used by SELinux when it is actually turned on. > Still need to look through the rest of the patch...
Created attachment 1120 [details] Split configure's $LIBS up Here's a starting point, configure and Makefile bits only. The libcrypto bits for sftp, sftp-server and scp can be removed later, but some reshuffling of other bits is needed first.
restorecon exits immediately if selinux is not enabled, with exit status 0.
Comment on attachment 1120 [details] Split configure's $LIBS up I like these changes, but I think it should be dealt with separately to this bug. Do you want to start making these changes now? The approach is fine...
Created attachment 1124 [details] Tweaked patch Tweaked patch - no functional change, just a little tidier with the preprocessor goop.
Comment on attachment 1124 [details] Tweaked patch Patch seems ok to me. (I don't know the selinux interface, though)
Forgot to add: built and seemed to work ok on FC4.
Patch committed and will be in the 20060423+ snapshots. Thanks!
With the release of 4.4, we believe that this bug is now closed. For information about the release please see http://www.openssh.com/txt/release-4.4 .