Merge pull request #36978 from xeji/selinux-2-7

SELinux libs and tools: 2.4 -> 2.7

pkgs/os-specific/linux/checkpolicy/default.nix

@@ -2,27 +2,18 @@
 
 stdenv.mkDerivation rec {
   name = "checkpolicy-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/checkpolicy-${version}.tar.gz";
-    sha256 = "1m5wjm43lzp6bld8higsvdm2dkddydihhwv9qw2w9r4dm0largcv";
+    sha256 = "009j9jc0hi4l7k8f21hn8fm25n0mqgzdpd4nk30nds6d3nglf4sl";
   };
 
-  # Don't build tests
-  postPatch = ''
-    sed '/-C test/d' -i Makefile
-    sed '1i#include <ctype.h>' -i checkpolicy.c
-  '';
-
   nativeBuildInputs = [ bison flex ];
   buildInputs = [ libsepol ];
 
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-
   preBuild = ''
-    makeFlagsArray+=("LEX=flex")
     makeFlagsArray+=("LIBDIR=${libsepol}/lib")
     makeFlagsArray+=("PREFIX=$out")
   '';

pkgs/os-specific/linux/libselinux/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, pkgconfig, libsepol, pcre
+{ stdenv, fetchurl, pcre, pkgconfig, libsepol
 , enablePython ? true, swig ? null, python ? null
 }:
 
@@ -8,48 +8,34 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "libselinux-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libselinux-${version}.tar.gz";
-    sha256 = "0yqg73ns97jwjh1iyv0jr5qxb8k5sqq5ywfkx11lzfn5yj8k0126";
+    sha256 = "0mwcq78v6ngbq06xmb9dvilpg0jnl2vs9fgrpakhmmiskdvc1znh";
   };
 
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ libsepol pcre ]
              ++ optionals enablePython [ swig python ];
 
-  # Avoid this false warning:
-  # avc_internal.c: In function 'avc_netlink_receive':
-  # avc_internal.c:105:25: error: cast increases required alignment of target type [-Werror=cast-align]
-  #  struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
-  #                         ^
-
-  NIX_CFLAGS_COMPILE = "-std=gnu89 -Wno-error=cast-align";
-
-  # Unreleased upstream patch that fixes Python package issue arising
-  # from recent SWIG changes.
-  patches = optional enablePython (fetchpatch {
-    name = "fix-python-swig.patch";
-    url = "https://github.com/SELinuxProject/selinux/commit/a9604c30a5e2f71007d31aa6ba41cf7b95d94822.patch";
-    sha256 = "0mjrclh0sd8m7vq0wvl6pg29ss415j3kn0266v8ixy4fprafagfp";
-    stripLen = 1;
-  });
+  # drop fortify here since package uses it by default, leading to compile error:
+  # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
+  hardeningDisable = [ "fortify" ];
 
   postPatch = optionalString enablePython ''
     sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile
-  ''
-  + ''
-    sed '1i#include <sys/uio.h>' -i src/setrans_client.c
   '';
 
+  # fix install locations
   preBuild = ''
-    # Build fails without this precreated
-    mkdir -p $out/include
-
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
+    makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
+    makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
   '';
 
   installTargets = [ "install" ] ++ optional enablePython "install-pywrap";

pkgs/os-specific/linux/libsemanage/default.nix

@@ -1,31 +1,33 @@
-{ stdenv, fetchurl, bison, flex, libsepol, libselinux, ustr, bzip2, libaudit }:
+{ stdenv, fetchurl, pkgconfig, bison, flex, libsepol, libselinux, bzip2, libaudit
+, enablePython ? true, swig ? null, python ? null
+}:
+
+with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "libsemanage-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libsemanage-${version}.tar.gz";
-    sha256 = "1134ka4mi4387ac5yv68bpp2y7ln5xxhwp07xhqnay0nxzjaqk0s";
+    sha256 = "0xnlp1yg8b1aqc6kq3pss1i1nl06rfj4x4pyl5blasnf2ivlgs87";
   };
 
-  nativeBuildInputs = [ bison flex ];
-  buildInputs = [ libsepol libselinux ustr bzip2 libaudit ];
-
-  NIX_CFLAGS_COMPILE = [
-    "-fstack-protector-all"
-    "-std=gnu89"
-    # these were added to fix build with gcc7. review on update
-    "-Wno-error=format-truncation"
-    "-Wno-error=implicit-fallthrough"
-  ];
+  nativeBuildInputs = [ bison flex pkgconfig ];
+  buildInputs = [ libsepol libselinux bzip2 libaudit ]
+    ++ optionals enablePython [ swig python ];
 
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
+    makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
   '';
 
+  installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
+
   meta = libsepol.meta // {
     description = "Policy management tools for SELinux";
     license = stdenv.lib.licenses.lgpl21;

pkgs/os-specific/linux/libsepol/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "libsepol-${version}";
-  version = "2.4";
-  se_release = "20150202";
+  version = "2.7";
+  se_release = "20170804";
   se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libsepol-${version}.tar.gz";
-    sha256 = "0ncnwhpc1gx4hrrb822fqkwy5h75zzngsrfkd5mlqh1jk7aib419";
+    sha256 = "1rzr90d3f1g5wy1b8sh6fgnqb9migys2zgpjmpakn6lhxkc3p7fn";
   };
 
   nativeBuildInputs = [ flex ];
@@ -16,9 +16,10 @@ stdenv.mkDerivation rec {
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
   '';
 
-  NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ];
 
   passthru = { inherit se_release se_url; };
 

pkgs/os-specific/linux/policycoreutils/default.nix

@@ -1,64 +1,33 @@
-{ stdenv, fetchurl, pythonPackages, gettext
-, setools, libsepol, libselinux, libcap_ng, libsemanage, sepolgen
-}:
+{ stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }:
 
 stdenv.mkDerivation rec {
   name = "policycoreutils-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/policycoreutils-${version}.tar.gz";
-    sha256 = "0y9l9k60iy21hj0lcvfdfxs1fxydg6d3pxp9rhy7hwr4y5vgh6dq";
+    sha256 = "1x742c7lkw30namhkw87yg7z384qzqjz0pvmqs0lk19v6958l6qa";
   };
 
-  patches = [ ./fix-printf-type.patch ];
-
   postPatch = ''
-    # Fix references to libsepol.a
-    find . -name Makefile -exec sed -i 's,[^ ]*/libsepol.a,${libsepol}/lib/libsepol.a,g' {} \;
-
     # Fix install references
-    substituteInPlace po/Makefile --replace /usr/bin/install install
-
-    # Fix references to /usr/share
-    grep -r '/usr/share' | awk -F: '{print $1}' | xargs sed -i "s,\(\$(DESTDIR)\)*/usr/share,$out/share,g"
-
-    # Fix sepolicy install
-    sed -i "s,\(setup.py install\).*,\1 --prefix=$out,g" sepolicy/Makefile
-
-    # Fix setuid install
-    sed -i 's|-m 4755|-m 755|' sandbox/Makefile
+    substituteInPlace po/Makefile \
+       --replace /usr/bin/install install --replace /usr/share /share
+    substituteInPlace newrole/Makefile --replace /usr/share /share
   '';
 
-  nativeBuildInputs = [ pythonPackages.python gettext ];
-  buildInputs = [ setools libsepol libselinux libcap_ng libsemanage ];
-  pythonPath = [ libselinux sepolgen ];
+  nativeBuildInputs = [ gettext ];
+  buildInputs = [ libsepol libselinux libsemanage ];
 
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
+    makeFlagsArray+=("LOCALEDIR=$out/share/locale")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
   '';
 
-  # Creation of the system-config-selinux directory is broken
-  preInstall = ''
-    mkdir -p $out/share/system-config-selinux
-  '';
-
-  # Fix the python scripts to include paths to libraries
-  # NOTE: We are not using wrapPythonPrograms or makeWrapper as these scripts
-  # purge the environment as a security measure
-  postInstall = ''
-    grep -r '#!.*python' $out/bin | awk -F: '{print $1}' | xargs sed -i "1a \
-    import sys; \
-    sys.path.append('$(toPythonPath "$out")'); \
-    ${stdenv.lib.flip stdenv.lib.concatMapStrings pythonPath (lib: ''
-      sys.path.append('$(toPythonPath "${lib}")'); \
-    '')}"
-  '';
-
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-
   meta = with stdenv.lib; {
     description = "SELinux policy core utilities";
     license = licenses.gpl2;

pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch

@@ -1,12 +0,0 @@
-diff -Nru policycoreutils-2.4/setfiles/restore.c policycoreutils-2.4.new/setfiles/restore.c
---- policycoreutils-2.4/setfiles/restore.c	2015-02-02 09:38:10.000000000 -0500
-+++ policycoreutils-2.4.new/setfiles/restore.c	2015-08-29 20:44:13.693023222 -0400
-@@ -118,7 +118,7 @@
- 		r_opts->count++;
- 		if (r_opts->count % STAR_COUNT == 0) {
- 			if (r_opts->progress == 1) {
--				fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT );
-+				fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT );
- 			} else {
- 				if (r_opts->nfile > 0) {
- 					progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100;

pkgs/os-specific/linux/selinux-python/default.nix

@@ -0,0 +1,49 @@
+{ stdenv, fetchurl, python3
+, libselinux, libsemanage, libsepol, setools }:
+
+# this is python3 only because setools only supports python3
+
+with stdenv.lib;
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  name = "selinux-python-${version}";
+  version = "2.7";
+  se_release = "20170804";
+  se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
+
+  src = fetchurl {
+    url = "${se_url}/${se_release}/selinux-python-${version}.tar.gz";
+    sha256 = "1va0y4b7cah7rprh04b3ylmwqgnivpkw5z2zw68nrafdbsbcn5s2";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ libsepol python3 ];
+  propagatedBuildInputs = [ libselinux libsemanage setools ipy ];
+
+  postPatch = ''
+    substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix"
+  '';
+
+  preBuild = ''
+    makeFlagsArray+=("PREFIX=$out")
+    makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("LOCALEDIR=$out/share/locale")
+    makeFlagsArray+=("LIBSEPOLA=${libsepol}/lib/libsepol.a")
+    makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
+    makeFlagsArray+=("PYTHON=${python3}/bin/python")
+    makeFlagsArray+=("PYTHONLIBDIR=lib/${python3.libPrefix}/site-packages")
+  '';
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux policy core utilities written in Python";
+    license = licenses.gpl2;
+    homepage = https://selinuxproject.org;
+    platforms = platforms.linux;
+  };
+}
+

pkgs/os-specific/linux/selinux-sandbox/default.nix

@@ -0,0 +1,61 @@
+{ stdenv, fetchurl, bash, coreutils, python3
+, libcap_ng, policycoreutils, selinux-python, dbus
+, xorgserver, openbox, xmodmap }:
+
+# this is python3 only as it depends on selinux-python
+
+with stdenv.lib; 
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  name = "selinux-sandbox-${version}";
+  version = "2.7";
+  se_release = "20170804";
+
+  src = fetchurl {
+    url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${se_release}/selinux-sandbox-${version}.tar.gz";
+    sha256 = "0hf5chm90iapb42njaps6p5460ys3ajh5446ja544vdbh01n544l";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ];
+  propagatedBuildInputs = [ pygobject3 selinux-python ];
+
+  postPatch = ''
+    # Fix setuid install
+    substituteInPlace Makefile --replace "-m 4755" "-m 755"
+    substituteInPlace sandboxX.sh \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \
+      --replace "/usr/bin/cut" "${coreutils}/bin/cut" \
+      --replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \
+      --replace "secon" "${policycoreutils}/bin/secon"
+    substituteInPlace sandbox \
+      --replace "/usr/sbin/seunshare" "$out/bin/seunshare" \
+      --replace "/usr/share/sandbox" "$out/share/sandbox" \
+      --replace "/usr/share/locale" "${policycoreutils}/share/locale" \
+      --replace "/usr/bin/openbox" "${openbox}/bin/openbox" \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "dbus-" "${dbus}/bin/dbus-" \
+      --replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \
+      --replace "/usr/bin/shred" "${coreutils}/bin/shred" \
+      --replace "/usr/bin/test" "${coreutils}/bin/test" \
+  '';
+
+  preBuild = ''
+    makeFlagsArray+=("PREFIX=$out")
+    makeFlagsArray+=("DESTDIR=$out")
+  '';
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux sandbox utility";
+    license = licenses.gpl2;
+    homepage = https://selinuxproject.org;
+    platforms = platforms.linux;
+  };
+}
+

pkgs/os-specific/linux/setools/default.nix

@@ -1,35 +1,42 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, bison, flex
-, python, swig2, tcl, libsepol, libselinux, libxml2, sqlite, bzip2 }:
+{ stdenv, fetchFromGitHub, bison, flex, python3 , swig
+, libsepol, libselinux, checkpolicy
+, withGraphics ? false
+}:
 
-stdenv.mkDerivation rec {
-  name = "setools-2015-02-12";
+with stdenv.lib;
+with python3.pkgs;
+
+buildPythonApplication rec {
+  pname = "setools";
+  version = "2017-11-10";
 
   src = fetchFromGitHub {
     owner = "TresysTechnology";
-    repo = "setools3";
-    rev = "f1e5b208d507171968ca4d2eeefd7980f1004a3c";
-    sha256 = "02gzy2kpszhr13f0d9qfiwh2hj4201g2x366j53v5n5qz481aykd";
+    repo = pname;
+    rev = "a1aa0f33f5c428d3f9fe82960ed5de36f38047f7";
+    sha256 = "0iyj35fff93cprjkzbkg9dn5xz8dg5h2kjx3476fl625nxxskndn";
   };
 
-  configureFlags = [
-    "--disable-gui"
-    "--with-sepol-devel=${libsepol}"
-    "--with-selinux-devel=${libselinux}"
-    "--with-tcl=${tcl}/lib"
-  ];
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ libsepol swig ];
+  propagatedBuildInputs = [ enum34 libselinux networkx ]
+    ++ optionals withGraphics [ pyqt5 ];
 
-  hardeningDisable = [ "format" ];
+  checkInputs = [ tox checkpolicy ];
+  preCheck = ''
+    export CHECKPOLICY=${checkpolicy}/bin/checkpolicy
+  '';
 
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-  NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib";
+  setupPyBuildFlags = [ "-i" ];
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig python swig2 bison flex ];
-  buildInputs = [ tcl libxml2 sqlite bzip2 ];
+  preBuild = ''
+    export SEPOL="${libsepol}/lib/libsepol.a"
+  '';
 
   meta = {
     description = "SELinux Tools";
-    homepage = http://oss.tresys.com/projects/setools/;
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    homepage = https://github.com/TresysTechnology/setools/wiki;
+    license = licenses.gpl2;
+    platforms = platforms.linux;
   };
 }

pkgs/os-specific/linux/systemd/default.nix

@@ -10,6 +10,7 @@
 , getent
 , hostPlatform
 , buildPackages
+, withSelinux ? false, libselinux
 }:
 
 assert stdenv.isLinux;
@@ -44,7 +45,7 @@ in stdenv.mkDerivation rec {
       iptables gnu-efi
       # This is actually native, but we already pull it from buildPackages
       pythonLxmlEnv
-    ];
+    ] ++ stdenv.lib.optionals withSelinux [ libselinux ];
 
   #dontAddPrefix = true;
 

pkgs/top-level/all-packages.nix

@@ -11393,6 +11393,8 @@ with pkgs;
 
   sblim-sfcc = callPackage ../development/libraries/sblim-sfcc {};
 
+  selinux-sandbox = callPackage ../os-specific/linux/selinux-sandbox { };
+
   serd = callPackage ../development/libraries/serd {};
 
   serf = callPackage ../development/libraries/serf {};
@@ -20704,6 +20706,11 @@ with pkgs;
   seafile-shared = callPackage ../misc/seafile-shared { };
 
   serviio = callPackage ../servers/serviio {};
+  selinux-python = callPackage ../os-specific/linux/selinux-python {
+    # needs python3 bindings
+    libselinux = libselinux.override { python = python3; };
+    libsemanage = libsemanage.override { python = python3; };
+  };
 
   slock = callPackage ../misc/screensavers/slock {
     conf = config.slock.conf or null;