undefined reference to `setcon' compiling 5.4p1 w/ SELinux on RHEL 4.8

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I am attempting to compile OpenSSH 5.4p1 on RHEL 4.8 i686 and am
getting the error in the log below.  libselinux-devel is installed and
is version 1.19.1-7.4 which is the latest available for RHEL4.  5.3p1
compiles successfully. zlib-(devel-)1.2.3 and openssl-
(devel-)0.9.7a-43.17.el4_7.2 are installed. gcc is version 3.4.6
20060404 (Red Hat 3.4.6-11).

I grepped for setcon in /usr/include and it was not found, however
getcon is defined in selinux/selinux.h.  Does this mean that SELinux
on RHEL 4 is too old to support setcon and therefore OpenSSH 5.4p1?
If so is this something OpenSSH could work around?

I do know that RHEL backports security fixes, but I a) want new
features and b) want to quiet a braindead tcp vulnerability scanner
that checks the version number only.

$ ./configure --with-md5-passwords --with-selinux --with-pam
             Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -
Wsign-compare -Wformat-security -fno-builtin-memset -std=gnu99
Preprocessor flags:
      Linker flags:
         Libraries: -lcrypto -ldl -lutil -lz -lnsl  -lcrypt
         +for sshd:  -lpam -lselinux

$ make
ranlib libssh.a
gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o
sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -
L. -Lopenbsd-compat/  -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz -
lnsl  -lcrypt
gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-
rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o
auth2.o auth-options.o session.o auth-chall.o auth2-chall.o
groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-
kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o
auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-
shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o sftp-
server.o sftp-common.o roaming_common.o roaming_serv.o -L. -Lopenbsd-
compat/  -lssh -lopenbsd-compat -lpam -lselinux -lcrypto -ldl -lutil -
lz -lnsl  -lcrypt
gcc -o ssh-add ssh-add.o -L. -Lopenbsd-compat/  -lssh -lopenbsd-compat
-lcrypto -ldl -lutil -lz -lnsl  -lcrypt
openbsd-compat//libopenbsd-compat.a(port-linux.o)(.text+0x3ab): In
function `ssh_selinux_change_context':
/tmp/openssh-5.4p1/openbsd-compat/port-linux.c:203: undefined
reference to `setcon'
collect2: ld returned 1 exit status
make: *** [sshd] Error 1
make: *** Waiting for unfinished jobs....

P.S. posting via Google Groups - apologies.

Re: undefined reference to `setcon' compiling 5.4p1 w/ SELinux on RHEL 4.8

Quoted text here. Click to load it

First things first. *WHY*? RHEL 4 is over 5 years old. Continuing to
backport contemporary tools to such an old release is bound to spend a
lot of manpower that is often better spent elsewhere. If you can, you
should really be updating to RHEL 5.4. RHEL 5 is still over 3 years
old, but you've a much better chance of being able to maintain
packages there. I went through that over the last few years with
Subversion and Ant and PHP, and it gets nastier and nastier as tools
are updated by their authors and RHEL falls futher out of date.

Second. does it compile without selinux?

Third: Can you backport the OpenSSH SRPM from Fedora 13 as a starting
point? You'll need to use "rpm2cpio" to extract the files, since RPM
checksums have changed and such an old RPM version will error it. But
it's still a cpio archive inside, so rpm2cpio works fine.

Quoted text here. Click to load it

Yes, turn off SELinux at autoconf time and don't use it. (Nasty, but
workable.) There may also be RedHat published changes in the SRPM's,
especially the more recent Fedora ones. Take a look there.

Quoted text here. Click to load it

You've my sympathies. I wanted Kerberos single-sign-on. There's a
commercial company, Centrify, that sells services to integrate single-
sign-on and account management with Active Directory, and they sell a
5.2p1 RPM. They don't publish the SRPM, though. It's BSD licensed, not
GPL, darn it.

You also may have problems with PAM: the "authconfig" tools for RHEL
4.x are sufficiently out of date that they may not understand all the
PAM options that OpenSSH 5.x handles.

Quoted text here. Click to load it

Site Timeline