Created attachment 1983 [details] openssh-5.7p1-selinux.diff SSH client 5.7p1 calls SELinux specific functions such as matchpathcon, setfscreatecon and setfscreatecon but the configure script is not linking the 'ssh' binary against the SELinux library, so the build fails with undefined references. The attached patch is just a suggestion. It works here, but I'm not sure if it's correct according to Autoconf standards.
Similarly, ssh.c refers to SELinux symbols if WITH_SELINUX is defined, but it doesn't include <selinux/selinux.h> or similar. Oddly, the relevant functions were added in this commit: - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs for missing headers and compiler warnings. This seems to have nothing to do with SELinux. Was this possibly an incomplete change committed by mistake?
It looks like this one was my fault but I'll have to dig through the changes to see where it went off the rails. In the mean time Damien has posted a fix: http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-January/029271.html
Damien's fix doesn't quite work for me: gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -fstack-protector-all -Wl,--as-needed -fPIE -pie -Wl,-z,relro -Wl,-z,now -lssh -lopenbsd-compat -lselinux -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM="/bin/login" -DLOGIN_NO_ENDOPT -DSSH_EXTRAVERSION="Debian-1" -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err openbsd-compat//libopenbsd-compat.a(port-linux.o): In function `ssh_selinux_getctxbyname': /home/cjwatson/src/debian/openssh/trunk/experimental/openssh/build-deb/openbsd-compat/../../openbsd-compat/port-linux.c:78: undefined reference to `the_authctxt' collect2: ld returned 1 exit status
Are you sure that's an unmodified tree? I don't see "the_authctxt" in port-linux.c at all, in Damien's patch either as posted (or committed) and I can build it --with-selinux on fedora. $ grep the_authctxt openbsd-compat/port-linux.c $
FYI the diff that I committed is here: http://hg.mindrot.org/openssh/raw-rev/4a9f5523a949 Downstream packagers are encouraged to use this one since it might reduce conflicts with patches applied on top of it (further fixes touching this code or subsequent releases).
Oh bugger. You're quite right - this was due to the patch for bug #1641 that our SELinux people wanted me to carry. I'll go and fix it up ... Sorry for wasting time.
Thanks for the patch, Damien. I tested it here and it works. Feel free to close the bug.
*** Bug 1881 has been marked as a duplicate of this bug. ***
close resolved bugs now that openssh-5.9 has been released