diff options
| author | Colin Watson <cjwatson@debian.org> | 2005-06-17 12:44:30 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2005-06-17 12:44:30 +0000 |
| commit | 4c2d1c67cea075107aadaa6d81fe456687c69e67 (patch) | |
| tree | 4f31813c8306491c908948bd75254912385ed651 /debian | |
| parent | bed4bb0fe9380912ecb90e5f918bce8825ec0a38 (diff) | |
Manoj Srivastava:
- Added SELinux capability, and turned it on be default. Added
restorecon calls in preinst and postinst (should not matter if the
machine is not SELinux aware). By and large, the changes made should
have no effect unless the rules file calls --with-selinux; and even
then there should be no performance hit for machines not actively
running SELinux.
- Modified the preinst and postinst to call restorecon to set the
security context for the generated public key files.
- Added a comment to /etc/pam.d/ssh to indicate that an SELinux system
may want to also include pam_selinux.so.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 11 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/openssh-server.postinst | 3 | ||||
| -rw-r--r-- | debian/openssh-server.preinst | 3 | ||||
| -rw-r--r-- | debian/openssh-server.ssh.pam | 3 | ||||
| -rwxr-xr-x | debian/rules | 7 |
6 files changed, 27 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 671a44922..aae858b96 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -2,6 +2,17 @@ openssh (1:4.1p1-4) UNRELEASED; urgency=low | |||
| 2 | 2 | ||
| 3 | * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5 | 3 | * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5 |
| 4 | only conflicts with ssh (closes: #312475). | 4 | only conflicts with ssh (closes: #312475). |
| 5 | * Manoj Srivastava: | ||
| 6 | - Added SELinux capability, and turned it on be default. Added | ||
| 7 | restorecon calls in preinst and postinst (should not matter if the | ||
| 8 | machine is not SELinux aware). By and large, the changes made should | ||
| 9 | have no effect unless the rules file calls --with-selinux; and even | ||
| 10 | then there should be no performance hit for machines not actively | ||
| 11 | running SELinux. | ||
| 12 | - Modified the preinst and postinst to call restorecon to set the | ||
| 13 | security context for the generated public key files. | ||
| 14 | - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system | ||
| 15 | may want to also include pam_selinux.so. | ||
| 5 | * debconf template translations: | 16 | * debconf template translations: |
| 6 | - Update German (thanks, Jens Seidel; closes: #313949). | 17 | - Update German (thanks, Jens Seidel; closes: #313949). |
| 7 | 18 | ||
diff --git a/debian/control b/debian/control index 4e7cfd1b1..de945cf9c 100644 --- a/debian/control +++ b/debian/control | |||
| @@ -2,7 +2,7 @@ Source: openssh | |||
| 2 | Section: net | 2 | Section: net |
| 3 | Priority: standard | 3 | Priority: standard |
| 4 | Maintainer: Matthew Vernon <matthew@debian.org> | 4 | Maintainer: Matthew Vernon <matthew@debian.org> |
| 5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) [!hurd-i386] | libgnome-dev [!hurd-i386], libedit-dev, groff, debhelper (>= 2), sharutils [!hurd-i386] | 5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) [!hurd-i386] | libgnome-dev [!hurd-i386], libedit-dev, groff, debhelper (>= 2), sharutils [!hurd-i386], libselinux1-dev [alpha amd64 arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc] |
| 6 | Standards-Version: 3.6.1 | 6 | Standards-Version: 3.6.1 |
| 7 | Uploaders: Colin Watson <cjwatson@debian.org> | 7 | Uploaders: Colin Watson <cjwatson@debian.org> |
| 8 | 8 | ||
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 9beb373b7..e6fe65ffa 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
| @@ -94,6 +94,9 @@ create_key() { | |||
| 94 | echo -n $msg | 94 | echo -n $msg |
| 95 | ssh-keygen -q -f "$file" -N '' "$@" | 95 | ssh-keygen -q -f "$file" -N '' "$@" |
| 96 | echo | 96 | echo |
| 97 | if type restorecon >/dev/null 2>&1; then | ||
| 98 | restorecon "$file.pub" | ||
| 99 | fi | ||
| 97 | fi | 100 | fi |
| 98 | } | 101 | } |
| 99 | 102 | ||
diff --git a/debian/openssh-server.preinst b/debian/openssh-server.preinst index 320d4df2a..1ae85c7e8 100644 --- a/debian/openssh-server.preinst +++ b/debian/openssh-server.preinst | |||
| @@ -72,6 +72,9 @@ EOF | |||
| 72 | # case the key is encrypted, which we need to fix | 72 | # case the key is encrypted, which we need to fix |
| 73 | chmod 600 $key | 73 | chmod 600 $key |
| 74 | ssh-keygen -u -f $key >/dev/null | 74 | ssh-keygen -u -f $key >/dev/null |
| 75 | if type restorecon >/dev/null 2>&1; then | ||
| 76 | restorecon "$key.pub" | ||
| 77 | fi | ||
| 75 | } | 78 | } |
| 76 | fi | 79 | fi |
| 77 | fi | 80 | fi |
diff --git a/debian/openssh-server.ssh.pam b/debian/openssh-server.ssh.pam index 1332a267e..ce33b9347 100644 --- a/debian/openssh-server.ssh.pam +++ b/debian/openssh-server.ssh.pam | |||
| @@ -22,5 +22,8 @@ session optional pam_mail.so standard noenv # [1] | |||
| 22 | # Set up user limits from /etc/security/limits.conf. | 22 | # Set up user limits from /etc/security/limits.conf. |
| 23 | session required pam_limits.so | 23 | session required pam_limits.so |
| 24 | 24 | ||
| 25 | # Set up SELinux capabilities (need modified pam) | ||
| 26 | # session required pam_selinux.so multiple | ||
| 27 | |||
| 25 | # Standard Un*x password updating. | 28 | # Standard Un*x password updating. |
| 26 | @include common-password | 29 | @include common-password |
diff --git a/debian/rules b/debian/rules index 452b7fdbf..772d08f84 100755 --- a/debian/rules +++ b/debian/rules | |||
| @@ -57,6 +57,11 @@ ifeq ($(DEB_HOST_ARCH_OS),hurd) | |||
| 57 | FORCE_LIBS := LIBS=-lcrypt | 57 | FORCE_LIBS := LIBS=-lcrypt |
| 58 | endif | 58 | endif |
| 59 | 59 | ||
| 60 | # SELinux support? | ||
| 61 | ifeq ($(DEB_HOST_ARCH_OS),linux) | ||
| 62 | SELINUX := --with-selinux | ||
| 63 | endif | ||
| 64 | |||
| 60 | # Change the version string to include the Debian version | 65 | # Change the version string to include the Debian version |
| 61 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') | 66 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') |
| 62 | 67 | ||
| @@ -66,7 +71,7 @@ build-deb: build-deb-stamp | |||
| 66 | build-deb-stamp: | 71 | build-deb-stamp: |
| 67 | dh_testdir | 72 | dh_testdir |
| 68 | mkdir -p build-deb | 73 | mkdir -p build-deb |
| 69 | cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit | 74 | cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit $(SELINUX) |
| 70 | 75 | ||
| 71 | ifeq ($(DEB_HOST_ARCH_OS),linux) | 76 | ifeq ($(DEB_HOST_ARCH_OS),linux) |
| 72 | # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). | 77 | # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). |