Package Details: openssh-selinux 9.9p1-2

Git Clone URL: https://aur.archlinux.org/openssh-selinux.git (read-only, click to copy)
Package Base: openssh-selinux
Description: SSH protocol implementation for remote login, command execution and file transfer, with SELinux support
Upstream URL: https://www.openssh.com/portable.html
Keywords: selinux
Licenses: MIT, ISC, BSD-3-Clause, BSD-2-Clause, LicenseRef-Public-Domain
Groups: selinux
Conflicts: openssh, selinux-openssh
Provides: openssh, selinux-openssh
Submitter: Siosm
Maintainer: IooNag
Last Packager: IooNag
Votes: 20
Popularity: 0.000621
First Submitted: 2013-11-03 20:05 (UTC)
Last Updated: 2024-11-01 09:59 (UTC)

Required by (277)

Sources (8)

Latest Comments

1 2 3 Next › Last »

yar commented on 2024-07-02 18:57 (UTC)

Please update asap. You're shipping a root exploit!

cge commented on 2022-07-19 21:40 (UTC)

Building this package will fail if the user's default shell is not a POSIX shell, eg, if the user's shell is fish. Running makepkg under a POSIX shell makes no difference.

IooNag commented on 2021-10-12 18:20 (UTC)

@xavierbaez The package builds fine for me. There may be an application which is already listening on port 4242 on your machine. You can fix this issue by building the package in a clean environment (such as a virtual machine or a container), or by building without running tests (with makepkg --nocheck), or by installing the package which was built from GitHub's continuous integration system: https://github.com/archlinuxhardened/selinux/releases/tag/ArchLinux-SELinux

xavierbaez commented on 2021-10-11 07:22 (UTC) (edited on 2021-10-11 07:23 (UTC) by xavierbaez)

Have a problem installing openssh-selinux

Tried on two computers:

make[1]: Entering directory '~/.cache/yay/openssh-selinux/src/openssh-8.8p1/regress' run test connect.sh ... FATAL: no sshd running on port 4242 make[1]: [Makefile:219: t-exec] Error 1 make[1]: Leaving directory '~/.cache/yay/openssh-selinux/src/openssh-8.8p1/regress' make: [Makefile:722: t-exec] Error 2 ==> ERROR: A failure occurred in check(). Aborting... error making: openssh-selinux

kfollstad commented on 2021-07-27 21:23 (UTC) (edited on 2021-07-27 23:28 (UTC) by kfollstad)

It might be worth noting here the potential pitfalls that you might run into building this if you have python-twisted installed but not all of its optional dependencies as I did.

Part of the Makefile specifies interops tests with conch which are called by check() in PKGBUILD (only) if conch exists. However conch comes packaged in python-twisted but by default does not work unless you have also installed the optional dependencies: python-cryptography, python-pyasn1, python-appdirs, and python-bcrypt.

I was able to successfully build and install this using this slightly tweaked PKGBUILD

diff --git a/PKGBUILD b/PKGBUILD
index 35d457a..b6bd827 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -19,7 +19,8 @@ license=('custom:BSD')
 arch=('x86_64' 'aarch64')
 depends=('glibc' 'krb5' 'openssl' 'libedit' 'ldns' 'libxcrypt'
          'libcrypt.so' 'zlib' 'pam' 'libselinux')
 makedepends=('linux-headers' 'libfido2')
-checkdepends=('inetutils')
+checkdepends=('inetutils' 'python-twisted' 'python-cryptography'
+              'python-pyasn1' 'python-appdirs' 'python-bcrypt')
 optdepends=('xorg-xauth: X11 forwarding'
             'x11-ssh-askpass: input passphrase in X'
             'libfido2: FIDO/U2F support')

It might be better is to disable the conch test or patch regress/test-exec.sh to check for the dependencies similarly to the below (untested) code.

--- regress/test-exec.sh
+++ /home/username/tmp/openssh-test-exec.patched.sh
@@ -148,6 +148,15 @@
    /*) CONCH="${TEST_SSH_CONCH}" ;;
    *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;;
    esac
+   # Arch specific as conch (as installed via python-twisted)
+   # is non-functional without these optional dependencies.
+   HAS_DEPENDS=0
+   pacman -Qq python-cryptography python-pyans1 \
+   python-appdirs python-bcrypt &> /dev/null || HAS_DEPENDS=1
+   if [ $HAS_DEPENDS -eq 1 ]; then
+       CONCH=""
+   fi
 fi
 if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
    SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"

Also, looNag, thank you very much for maintaining this and all you do for making Selinux work on Arch.

Unb0rn commented on 2020-02-17 06:16 (UTC)

I seem to have the same problem as in here: https://bugs.archlinux.org/task/65513 Maybe this should be updated too?

IooNag commented on 2020-02-16 07:26 (UTC)

@yar I updated openssh-selinux to 8.2p1-1 a few hours ago, because the tests worked and it fixed the issue of broken systems due to the glibc update (cf. https://github.com/archlinuxhardened/selinux/pull/27#issuecomment-586648511). openssh 8.2p1-1 was in testing a few hours ago, but is now in core, so the issue caused by glibc update is fixed. Thanks again for your bug report!

yar commented on 2020-02-16 03:36 (UTC)

Not sure offhand, but 8.2 is out, maybe that'll work?

Meanwhile anybody with this package who's Syu'd in the past few days has bricked their sshd :/

IooNag commented on 2020-02-14 08:23 (UTC)

@yar Thanks for the update! Unfortunately the tests are broken with the new version I am testing (8.1p1-4, with the backported patch): https://github.com/archlinuxhardened/selinux/pull/27

I do not have time at the moment to debug this and to investigate whether it is an issue from -selinux package, Arch package or OpenSSH upstream. So I will not update openssh-selinux today, but if you want to find out what is going wrong, it would be very helpful.

yar commented on 2020-02-14 07:32 (UTC)

This is broken by glibc 2.31, needs to incorporate new changes in arch package