SELinux support for openssh{,-server,-client,-server-udeb,-client-udeb}

Bug #16078 reported by Lorenzo Hernández García-Hierro (a.k.a. trulux)
6
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Wishlist
Colin Watson

Bug Description

Hi,

As part of our effort in deploying SELinux in Ubuntu Linux, openssh needs to be
patched in order to handle user contexts properly during authentication, tty, etc.

The packages can be found at:
http://pearls.tuxedo-es.org/selinux/ubuntu/openssh/

It has just one patch (coming from RH Fedora CVS) applied and nothing more than
the needed changes in debian/rules for setting --with-selinux in both normal and
udeb builds.

They have been tested and known to work on Hoary and with and without SELinux
enabled, without any problem nor negative impact in the overall performance or
behavior.

Thanks in advance,
Cheers.
Lorenzo.

http://www.ubuntulinux.org/wiki/SELinux: http://www.ubuntulinux.org/wiki/SELinux

Revision history for this message
Lorenzo Hernández García-Hierro (a.k.a. trulux) (lorenzo-debian-hardened) wrote :

Created an attachment (id=2129)
Fedora CVS patch for OpenSSH SELinux support.

Revision history for this message
Colin Watson (cjwatson) wrote :

Done, and merged to Ubuntu:

openssh (1:4.1p1-4) unstable; urgency=low

  * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5
    only conflicts with ssh (closes: #312475).
  * SELinux support (thanks, Manoj Srivastava; closes: #308555):
    - Added SELinux capability, and turned it on be default. Added
      restorecon calls in preinst and postinst (should not matter if the
      machine is not SELinux aware). By and large, the changes made should
      have no effect unless the rules file calls --with-selinux; and even
      then there should be no performance hit for machines not actively
      running SELinux.
    - Modified the preinst and postinst to call restorecon to set the
      security context for the generated public key files.
    - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system
      may want to also include pam_selinux.so.
  * Re-enable ssh-askpass-gnome on the Hurd, now that its build-dependencies
    are available.
  * Restore /usr/lib/sftp-server temporarily, as a symlink to
    /usr/lib/openssh/sftp-server (closes: #312891).
  * Switch to debhelper compatibility level 3, since 2 is deprecated.
  * debconf template translations:
    - Update German (thanks, Jens Seidel; closes: #313949).

 -- Colin Watson <email address hidden> Fri, 17 Jun 2005 14:20:20 +0100

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.