http://bugzilla.mindrot.org/show_bug.cgi?id=880 ------- Comment #3 from djm at mindrot.org 2006-04-03 21:45 ------- Created an attachment (id=1110) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1110&action=view) Revised diff ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #648 is|0 |1 obsolete| | ------- Comment #4 from djm at mindrot.org 2006-04-03 21:46 ------- Created an attachment (id=1111) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1111&action=view) Revised diff This is a revised diff, based on Daniel's patch but fixing a few memory leaks and delaing with both older and new libselinux ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 ------- Comment #5 from dtucker at zip.com.au 2006-04-16 15:39 ------- (From update of attachment 1111)>+LIBSELINUX=@LIBSELINUX@[...]>+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)Instead of doing this, I think we ought to split $LIBS up differently: generic libs required for all programs, one for just the crypto libs and associated, one for sshd only. The latter could replace LIBPAM and LIBWRAP. We're now in the situation where we need it: libdl is either not needed, needed for libpam only or needed for everything crypto-related (for openssl-0.9.8*) and this is messy to represent with the current implementation.>+ if [ -x /sbin/restorecon ]; then >+ /sbin/restorecon $RSA1_KEY.pub >+ fiIs this a a valid thing to do, eg, if selinux is installed but disabled at runtime? Still need to look through the rest of the patch... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 ------- Comment #6 from djm at mindrot.org 2006-04-16 18:23 ------- (In reply to comment #5)> Instead of doing this, I think we ought to split $LIBS up differently: generic > libs required for all programs, one for just the crypto libs and associated, > one for sshd only. The latter could replace LIBPAM and LIBWRAP.I agree, a $SSHDLIBS would be nicer.> >+ if [ -x /sbin/restorecon ]; then > >+ /sbin/restorecon $RSA1_KEY.pub > >+ fi > > Is this a a valid thing to do, eg, if selinux is installed but disabled at > runtime?Ubuntu does it in a couple of things in /etc/init.d unconditionally, though not for ssh in the current stable release. I think it just resets the extended silesystem attributes on the file, which are only used by SELinux when it is actually turned on.> Still need to look through the rest of the patch...------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 ------- Comment #7 from dtucker at zip.com.au 2006-04-16 18:36 ------- Created an attachment (id=1120) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1120&action=view) Split configure's $LIBS up Here's a starting point, configure and Makefile bits only. The libcrypto bits for sftp, sftp-server and scp can be removed later, but some reshuffling of other bits is needed first. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 ------- Comment #8 from dwalsh at redhat.com 2006-04-17 20:26 ------- restorecon exits immediately if selinux is not enabled, with exit status 0. ------- Comment #9 from djm at mindrot.org 2006-04-21 21:48 ------- (From update of attachment 1120) I like these changes, but I think it should be dealt with separately to this bug. Do you want to start making these changes now? The approach is fine... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1110 is|0 |1 obsolete| | Attachment #1111 is|0 |1 obsolete| | Attachment #1124| |ok? Flag| | ------- Comment #10 from djm at mindrot.org 2006-04-21 22:38 ------- Created an attachment (id=1124) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1124&action=view) Tweaked patch Tweaked patch - no functional change, just a little tidier with the preprocessor goop. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1124| |ok+ Flag| | ------- Comment #11 from dtucker at zip.com.au 2006-04-22 20:46 ------- (From update of attachment 1124) Patch seems ok to me. (I don't know the selinux interface, though) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 ------- Comment #12 from dtucker at zip.com.au 2006-04-22 20:54 ------- Forgot to add: built and seemed to work ok on FC4. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=880 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |1155 nThis| | Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #13 from djm at mindrot.org 2006-04-22 21:27 ------- Patch committed and will be in the 20060423+ snapshots. Thanks! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.