From 880d8c16b5b8a2281a8f26b5f0bd76a3aad8dd46 Mon Sep 17 00:00:00 2001 From: xeji Date: Wed, 14 Mar 2018 11:55:31 +0100 Subject: [PATCH 01/11] libsepol: 2.4 -> 2.7 --- pkgs/os-specific/linux/libsepol/default.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkgs/os-specific/linux/libsepol/default.nix b/pkgs/os-specific/linux/libsepol/default.nix index f7f393afb39..59962e911d4 100644 --- a/pkgs/os-specific/linux/libsepol/default.nix +++ b/pkgs/os-specific/linux/libsepol/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "libsepol-${version}"; - version = "2.4"; - se_release = "20150202"; + version = "2.7"; + se_release = "20170804"; se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases"; src = fetchurl { url = "${se_url}/${se_release}/libsepol-${version}.tar.gz"; - sha256 = "0ncnwhpc1gx4hrrb822fqkwy5h75zzngsrfkd5mlqh1jk7aib419"; + sha256 = "1rzr90d3f1g5wy1b8sh6fgnqb9migys2zgpjmpakn6lhxkc3p7fn"; }; nativeBuildInputs = [ flex ]; @@ -16,9 +16,10 @@ stdenv.mkDerivation rec { preBuild = '' makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("MAN8DIR=$out/share/man/man8") + makeFlagsArray+=("MAN3DIR=$out/share/man/man3") ''; - NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ]; passthru = { inherit se_release se_url; }; From ea7507b9dc990814ca6d69997add7fe7c9e36f7b Mon Sep 17 00:00:00 2001 From: xeji Date: Wed, 14 Mar 2018 13:25:41 +0100 Subject: [PATCH 02/11] libselinux: 2.4 -> 2.7 --- pkgs/os-specific/linux/libselinux/default.nix | 36 ++++++------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/pkgs/os-specific/linux/libselinux/default.nix b/pkgs/os-specific/linux/libselinux/default.nix index 541ead7258f..0175f79483f 100644 --- a/pkgs/os-specific/linux/libselinux/default.nix +++ b/pkgs/os-specific/linux/libselinux/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, fetchpatch, pkgconfig, libsepol, pcre +{ stdenv, fetchurl, pcre, pkgconfig, libsepol , enablePython ? true, swig ? null, python ? null }: @@ -8,48 +8,34 @@ with stdenv.lib; stdenv.mkDerivation rec { name = "libselinux-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/libselinux-${version}.tar.gz"; - sha256 = "0yqg73ns97jwjh1iyv0jr5qxb8k5sqq5ywfkx11lzfn5yj8k0126"; + sha256 = "0mwcq78v6ngbq06xmb9dvilpg0jnl2vs9fgrpakhmmiskdvc1znh"; }; nativeBuildInputs = [ pkgconfig ]; buildInputs = [ libsepol pcre ] ++ optionals enablePython [ swig python ]; - # Avoid this false warning: - # avc_internal.c: In function 'avc_netlink_receive': - # avc_internal.c:105:25: error: cast increases required alignment of target type [-Werror=cast-align] - # struct nlmsghdr *nlh = (struct nlmsghdr *)buf; - # ^ - - NIX_CFLAGS_COMPILE = "-std=gnu89 -Wno-error=cast-align"; - - # Unreleased upstream patch that fixes Python package issue arising - # from recent SWIG changes. - patches = optional enablePython (fetchpatch { - name = "fix-python-swig.patch"; - url = "https://github.com/SELinuxProject/selinux/commit/a9604c30a5e2f71007d31aa6ba41cf7b95d94822.patch"; - sha256 = "0mjrclh0sd8m7vq0wvl6pg29ss415j3kn0266v8ixy4fprafagfp"; - stripLen = 1; - }); + # drop fortify here since package uses it by default, leading to compile error: + # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror] + hardeningDisable = [ "fortify" ]; postPatch = optionalString enablePython '' sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile - '' - + '' - sed '1i#include ' -i src/setrans_client.c ''; + # fix install locations preBuild = '' - # Build fails without this precreated - mkdir -p $out/include - makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("MAN3DIR=$out/share/man/man3") + makeFlagsArray+=("MAN5DIR=$out/share/man/man5") + makeFlagsArray+=("MAN8DIR=$out/share/man/man8") + makeFlagsArray+=("PYSITEDIR=$out/lib/python2.7/site-packages") ''; installTargets = [ "install" ] ++ optional enablePython "install-pywrap"; From 232c39e7abdb86c3533c258dc0bcacd380c34369 Mon Sep 17 00:00:00 2001 From: xeji Date: Wed, 14 Mar 2018 13:43:48 +0100 Subject: [PATCH 03/11] libsemanage: 2.4 -> 2.7 --- .../os-specific/linux/libsemanage/default.nix | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/pkgs/os-specific/linux/libsemanage/default.nix b/pkgs/os-specific/linux/libsemanage/default.nix index 587349e4067..303853c9ee2 100644 --- a/pkgs/os-specific/linux/libsemanage/default.nix +++ b/pkgs/os-specific/linux/libsemanage/default.nix @@ -1,31 +1,33 @@ -{ stdenv, fetchurl, bison, flex, libsepol, libselinux, ustr, bzip2, libaudit }: +{ stdenv, fetchurl, pkgconfig, bison, flex, libsepol, libselinux, bzip2, libaudit +, enablePython ? true, swig ? null, python ? null +}: + +with stdenv.lib; stdenv.mkDerivation rec { name = "libsemanage-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/libsemanage-${version}.tar.gz"; - sha256 = "1134ka4mi4387ac5yv68bpp2y7ln5xxhwp07xhqnay0nxzjaqk0s"; + sha256 = "0xnlp1yg8b1aqc6kq3pss1i1nl06rfj4x4pyl5blasnf2ivlgs87"; }; - nativeBuildInputs = [ bison flex ]; - buildInputs = [ libsepol libselinux ustr bzip2 libaudit ]; - - NIX_CFLAGS_COMPILE = [ - "-fstack-protector-all" - "-std=gnu89" - # these were added to fix build with gcc7. review on update - "-Wno-error=format-truncation" - "-Wno-error=implicit-fallthrough" - ]; + nativeBuildInputs = [ bison flex pkgconfig ]; + buildInputs = [ libsepol libselinux bzip2 libaudit ] + ++ optionals enablePython [ swig python ]; preBuild = '' makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("MAN3DIR=$out/share/man/man3") + makeFlagsArray+=("MAN5DIR=$out/share/man/man5") + makeFlagsArray+=("PYSITEDIR=$out/lib/python2.7/site-packages") ''; + installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ]; + meta = libsepol.meta // { description = "Policy management tools for SELinux"; license = stdenv.lib.licenses.lgpl21; From 70044c899ebda11f24ccacfe397084c4ea12a2c3 Mon Sep 17 00:00:00 2001 From: xeji Date: Wed, 14 Mar 2018 20:06:58 +0100 Subject: [PATCH 04/11] policycoreutils: 2.4 -> 2.7 --- .../linux/policycoreutils/default.nix | 53 ++++--------------- .../policycoreutils/fix-printf-type.patch | 12 ----- 2 files changed, 11 insertions(+), 54 deletions(-) delete mode 100644 pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch diff --git a/pkgs/os-specific/linux/policycoreutils/default.nix b/pkgs/os-specific/linux/policycoreutils/default.nix index 536c69ff557..d2f6371225f 100644 --- a/pkgs/os-specific/linux/policycoreutils/default.nix +++ b/pkgs/os-specific/linux/policycoreutils/default.nix @@ -1,64 +1,33 @@ -{ stdenv, fetchurl, pythonPackages, gettext -, setools, libsepol, libselinux, libcap_ng, libsemanage, sepolgen -}: +{ stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }: stdenv.mkDerivation rec { name = "policycoreutils-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/policycoreutils-${version}.tar.gz"; - sha256 = "0y9l9k60iy21hj0lcvfdfxs1fxydg6d3pxp9rhy7hwr4y5vgh6dq"; + sha256 = "1x742c7lkw30namhkw87yg7z384qzqjz0pvmqs0lk19v6958l6qa"; }; - patches = [ ./fix-printf-type.patch ]; - postPatch = '' - # Fix references to libsepol.a - find . -name Makefile -exec sed -i 's,[^ ]*/libsepol.a,${libsepol}/lib/libsepol.a,g' {} \; - # Fix install references - substituteInPlace po/Makefile --replace /usr/bin/install install - - # Fix references to /usr/share - grep -r '/usr/share' | awk -F: '{print $1}' | xargs sed -i "s,\(\$(DESTDIR)\)*/usr/share,$out/share,g" - - # Fix sepolicy install - sed -i "s,\(setup.py install\).*,\1 --prefix=$out,g" sepolicy/Makefile - - # Fix setuid install - sed -i 's|-m 4755|-m 755|' sandbox/Makefile + substituteInPlace po/Makefile \ + --replace /usr/bin/install install --replace /usr/share /share + substituteInPlace newrole/Makefile --replace /usr/share /share ''; - nativeBuildInputs = [ pythonPackages.python gettext ]; - buildInputs = [ setools libsepol libselinux libcap_ng libsemanage ]; - pythonPath = [ libselinux sepolgen ]; + nativeBuildInputs = [ gettext ]; + buildInputs = [ libsepol libselinux libsemanage ]; preBuild = '' makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions") + makeFlagsArray+=("LOCALEDIR=$out/share/locale") + makeFlagsArray+=("MAN5DIR=$out/share/man/man5") ''; - # Creation of the system-config-selinux directory is broken - preInstall = '' - mkdir -p $out/share/system-config-selinux - ''; - - # Fix the python scripts to include paths to libraries - # NOTE: We are not using wrapPythonPrograms or makeWrapper as these scripts - # purge the environment as a security measure - postInstall = '' - grep -r '#!.*python' $out/bin | awk -F: '{print $1}' | xargs sed -i "1a \ - import sys; \ - sys.path.append('$(toPythonPath "$out")'); \ - ${stdenv.lib.flip stdenv.lib.concatMapStrings pythonPath (lib: '' - sys.path.append('$(toPythonPath "${lib}")'); \ - '')}" - ''; - - NIX_CFLAGS_COMPILE = "-fstack-protector-all"; - meta = with stdenv.lib; { description = "SELinux policy core utilities"; license = licenses.gpl2; diff --git a/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch b/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch deleted file mode 100644 index 6ab2d6dccc7..00000000000 --- a/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nru policycoreutils-2.4/setfiles/restore.c policycoreutils-2.4.new/setfiles/restore.c ---- policycoreutils-2.4/setfiles/restore.c 2015-02-02 09:38:10.000000000 -0500 -+++ policycoreutils-2.4.new/setfiles/restore.c 2015-08-29 20:44:13.693023222 -0400 -@@ -118,7 +118,7 @@ - r_opts->count++; - if (r_opts->count % STAR_COUNT == 0) { - if (r_opts->progress == 1) { -- fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT ); -+ fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT ); - } else { - if (r_opts->nfile > 0) { - progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100; From ac90dffdc70408ef14f99171c8a99f323db655f0 Mon Sep 17 00:00:00 2001 From: xeji Date: Wed, 14 Mar 2018 20:17:04 +0100 Subject: [PATCH 05/11] checkpolicy: 2.4 -> 2.7 --- pkgs/os-specific/linux/checkpolicy/default.nix | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/pkgs/os-specific/linux/checkpolicy/default.nix b/pkgs/os-specific/linux/checkpolicy/default.nix index 8e01bb2a5c8..6ea73c9ac6c 100644 --- a/pkgs/os-specific/linux/checkpolicy/default.nix +++ b/pkgs/os-specific/linux/checkpolicy/default.nix @@ -2,27 +2,18 @@ stdenv.mkDerivation rec { name = "checkpolicy-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/checkpolicy-${version}.tar.gz"; - sha256 = "1m5wjm43lzp6bld8higsvdm2dkddydihhwv9qw2w9r4dm0largcv"; + sha256 = "009j9jc0hi4l7k8f21hn8fm25n0mqgzdpd4nk30nds6d3nglf4sl"; }; - # Don't build tests - postPatch = '' - sed '/-C test/d' -i Makefile - sed '1i#include ' -i checkpolicy.c - ''; - nativeBuildInputs = [ bison flex ]; buildInputs = [ libsepol ]; - NIX_CFLAGS_COMPILE = "-fstack-protector-all"; - preBuild = '' - makeFlagsArray+=("LEX=flex") makeFlagsArray+=("LIBDIR=${libsepol}/lib") makeFlagsArray+=("PREFIX=$out") ''; From 07fe29741b0c9fa4d8f6554bfac2b0160fee1016 Mon Sep 17 00:00:00 2001 From: xeji Date: Tue, 20 Mar 2018 13:11:07 +0100 Subject: [PATCH 06/11] setools: 2015-02-12 -> 2017-11-10 --- pkgs/os-specific/linux/setools/default.nix | 49 ++++++++++++---------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index 8262c03e1e5..9cb5785ca98 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -1,35 +1,42 @@ -{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, bison, flex -, python, swig2, tcl, libsepol, libselinux, libxml2, sqlite, bzip2 }: +{ stdenv, fetchFromGitHub, bison, flex, python3 , swig +, libsepol, libselinux, checkpolicy +, withGraphics ? false +}: -stdenv.mkDerivation rec { - name = "setools-2015-02-12"; +with stdenv.lib; +with python3.pkgs; + +buildPythonApplication rec { + pname = "setools"; + version = "2017-11-10"; src = fetchFromGitHub { owner = "TresysTechnology"; - repo = "setools3"; - rev = "f1e5b208d507171968ca4d2eeefd7980f1004a3c"; - sha256 = "02gzy2kpszhr13f0d9qfiwh2hj4201g2x366j53v5n5qz481aykd"; + repo = pname; + rev = "a1aa0f33f5c428d3f9fe82960ed5de36f38047f7"; + sha256 = "0iyj35fff93cprjkzbkg9dn5xz8dg5h2kjx3476fl625nxxskndn"; }; - configureFlags = [ - "--disable-gui" - "--with-sepol-devel=${libsepol}" - "--with-selinux-devel=${libselinux}" - "--with-tcl=${tcl}/lib" - ]; + nativeBuildInputs = [ bison flex ]; + buildInputs = [ libsepol swig ]; + propagatedBuildInputs = [ enum34 libselinux networkx ] + ++ optionals withGraphics [ pyqt5 ]; - hardeningDisable = [ "format" ]; + checkInputs = [ tox checkpolicy ]; + preCheck = '' + export CHECKPOLICY=${checkpolicy}/bin/checkpolicy + ''; - NIX_CFLAGS_COMPILE = "-fstack-protector-all"; - NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; + setupPyBuildFlags = [ "-i" ]; - nativeBuildInputs = [ autoreconfHook pkgconfig python swig2 bison flex ]; - buildInputs = [ tcl libxml2 sqlite bzip2 ]; + preBuild = '' + export SEPOL="${libsepol}/lib/libsepol.a" + ''; meta = { description = "SELinux Tools"; - homepage = http://oss.tresys.com/projects/setools/; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.linux; + homepage = https://github.com/TresysTechnology/setools/wiki; + license = licenses.gpl2; + platforms = platforms.linux; }; } From 7ff15900f8a570232c01fba9b33f7c00939c1461 Mon Sep 17 00:00:00 2001 From: xeji Date: Tue, 20 Mar 2018 14:52:05 +0100 Subject: [PATCH 07/11] libsemanage: fix python lib path --- pkgs/os-specific/linux/libsemanage/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/libsemanage/default.nix b/pkgs/os-specific/linux/libsemanage/default.nix index 303853c9ee2..45222bee6b0 100644 --- a/pkgs/os-specific/linux/libsemanage/default.nix +++ b/pkgs/os-specific/linux/libsemanage/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { makeFlagsArray+=("DESTDIR=$out") makeFlagsArray+=("MAN3DIR=$out/share/man/man3") makeFlagsArray+=("MAN5DIR=$out/share/man/man5") - makeFlagsArray+=("PYSITEDIR=$out/lib/python2.7/site-packages") + makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages") ''; installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ]; From cc8bf58427a39c765f3c039951ab3cf7e9533e24 Mon Sep 17 00:00:00 2001 From: xeji Date: Tue, 20 Mar 2018 14:52:37 +0100 Subject: [PATCH 08/11] libselinux: fix python lib path --- pkgs/os-specific/linux/libselinux/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/libselinux/default.nix b/pkgs/os-specific/linux/libselinux/default.nix index 0175f79483f..4ddc3010221 100644 --- a/pkgs/os-specific/linux/libselinux/default.nix +++ b/pkgs/os-specific/linux/libselinux/default.nix @@ -35,7 +35,7 @@ stdenv.mkDerivation rec { makeFlagsArray+=("MAN3DIR=$out/share/man/man3") makeFlagsArray+=("MAN5DIR=$out/share/man/man5") makeFlagsArray+=("MAN8DIR=$out/share/man/man8") - makeFlagsArray+=("PYSITEDIR=$out/lib/python2.7/site-packages") + makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages") ''; installTargets = [ "install" ] ++ optional enablePython "install-pywrap"; From 905f4725562b8cf07d1a75fd6e5d6573d5cb5520 Mon Sep 17 00:00:00 2001 From: xeji Date: Tue, 20 Mar 2018 14:56:08 +0100 Subject: [PATCH 09/11] selinux-python: init at 2.7 tools written in python that upstream moved from policycoreutils into a separate package --- .../linux/selinux-python/default.nix | 49 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 5 ++ 2 files changed, 54 insertions(+) create mode 100644 pkgs/os-specific/linux/selinux-python/default.nix diff --git a/pkgs/os-specific/linux/selinux-python/default.nix b/pkgs/os-specific/linux/selinux-python/default.nix new file mode 100644 index 00000000000..8ac207d6421 --- /dev/null +++ b/pkgs/os-specific/linux/selinux-python/default.nix @@ -0,0 +1,49 @@ +{ stdenv, fetchurl, python3 +, libselinux, libsemanage, libsepol, setools }: + +# this is python3 only because setools only supports python3 + +with stdenv.lib; +with python3.pkgs; + +stdenv.mkDerivation rec { + name = "selinux-python-${version}"; + version = "2.7"; + se_release = "20170804"; + se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases"; + + src = fetchurl { + url = "${se_url}/${se_release}/selinux-python-${version}.tar.gz"; + sha256 = "1va0y4b7cah7rprh04b3ylmwqgnivpkw5z2zw68nrafdbsbcn5s2"; + }; + + nativeBuildInputs = [ wrapPython ]; + buildInputs = [ libsepol python3 ]; + propagatedBuildInputs = [ libselinux libsemanage setools ipy ]; + + postPatch = '' + substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix" + ''; + + preBuild = '' + makeFlagsArray+=("PREFIX=$out") + makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("LOCALEDIR=$out/share/locale") + makeFlagsArray+=("LIBSEPOLA=${libsepol}/lib/libsepol.a") + makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions") + makeFlagsArray+=("PYTHON=${python3}/bin/python") + makeFlagsArray+=("PYTHONLIBDIR=lib/${python3.libPrefix}/site-packages") + ''; + + postFixup = '' + wrapPythonPrograms + ''; + + meta = { + description = "SELinux policy core utilities written in Python"; + license = licenses.gpl2; + homepage = https://selinuxproject.org; + platforms = platforms.linux; + }; +} + diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 85fbb8894ec..28ef4f64be7 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -20660,6 +20660,11 @@ with pkgs; seafile-shared = callPackage ../misc/seafile-shared { }; serviio = callPackage ../servers/serviio {}; + selinux-python = callPackage ../os-specific/linux/selinux-python { + # needs python3 bindings + libselinux = libselinux.override { python = python3; }; + libsemanage = libsemanage.override { python = python3; }; + }; slock = callPackage ../misc/screensavers/slock { conf = config.slock.conf or null; From f7fe3f51840d6d978cb644ce209ce3466de480eb Mon Sep 17 00:00:00 2001 From: xeji Date: Thu, 15 Mar 2018 23:57:19 +0100 Subject: [PATCH 10/11] selinux-sandbox: init at 2.7 --- .../linux/selinux-sandbox/default.nix | 61 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 2 + 2 files changed, 63 insertions(+) create mode 100644 pkgs/os-specific/linux/selinux-sandbox/default.nix diff --git a/pkgs/os-specific/linux/selinux-sandbox/default.nix b/pkgs/os-specific/linux/selinux-sandbox/default.nix new file mode 100644 index 00000000000..71d2ee6e80a --- /dev/null +++ b/pkgs/os-specific/linux/selinux-sandbox/default.nix @@ -0,0 +1,61 @@ +{ stdenv, fetchurl, bash, coreutils, python3 +, libcap_ng, policycoreutils, selinux-python, dbus +, xorgserver, openbox, xmodmap }: + +# this is python3 only as it depends on selinux-python + +with stdenv.lib; +with python3.pkgs; + +stdenv.mkDerivation rec { + name = "selinux-sandbox-${version}"; + version = "2.7"; + se_release = "20170804"; + + src = fetchurl { + url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${se_release}/selinux-sandbox-${version}.tar.gz"; + sha256 = "0hf5chm90iapb42njaps6p5460ys3ajh5446ja544vdbh01n544l"; + }; + + nativeBuildInputs = [ wrapPython ]; + buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ]; + propagatedBuildInputs = [ pygobject3 selinux-python ]; + + postPatch = '' + # Fix setuid install + substituteInPlace Makefile --replace "-m 4755" "-m 755" + substituteInPlace sandboxX.sh \ + --replace "#!/bin/sh" "#!${bash}/bin/sh" \ + --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \ + --replace "/usr/bin/cut" "${coreutils}/bin/cut" \ + --replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \ + --replace "secon" "${policycoreutils}/bin/secon" + substituteInPlace sandbox \ + --replace "/usr/sbin/seunshare" "$out/bin/seunshare" \ + --replace "/usr/share/sandbox" "$out/share/sandbox" \ + --replace "/usr/share/locale" "${policycoreutils}/share/locale" \ + --replace "/usr/bin/openbox" "${openbox}/bin/openbox" \ + --replace "#!/bin/sh" "#!${bash}/bin/sh" \ + --replace "dbus-" "${dbus}/bin/dbus-" \ + --replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \ + --replace "/usr/bin/shred" "${coreutils}/bin/shred" \ + --replace "/usr/bin/test" "${coreutils}/bin/test" \ + ''; + + preBuild = '' + makeFlagsArray+=("PREFIX=$out") + makeFlagsArray+=("DESTDIR=$out") + ''; + + postFixup = '' + wrapPythonPrograms + ''; + + meta = { + description = "SELinux sandbox utility"; + license = licenses.gpl2; + homepage = https://selinuxproject.org; + platforms = platforms.linux; + }; +} + diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 28ef4f64be7..d0f3121bbac 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11357,6 +11357,8 @@ with pkgs; sblim-sfcc = callPackage ../development/libraries/sblim-sfcc {}; + selinux-sandbox = callPackage ../os-specific/linux/selinux-sandbox { }; + serd = callPackage ../development/libraries/serd {}; serf = callPackage ../development/libraries/serf {}; From eb828c68317908bf044a2110fc1625d47893edcc Mon Sep 17 00:00:00 2001 From: xeji Date: Tue, 27 Mar 2018 01:24:46 +0200 Subject: [PATCH 11/11] systemd: add withSelinux option false by default, so no rebuild --- pkgs/os-specific/linux/systemd/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index a792283e70e..d0f35d6736d 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -10,6 +10,7 @@ , getent , hostPlatform , buildPackages +, withSelinux ? false, libselinux }: assert stdenv.isLinux; @@ -44,7 +45,7 @@ in stdenv.mkDerivation rec { iptables gnu-efi # This is actually native, but we already pull it from buildPackages pythonLxmlEnv - ]; + ] ++ stdenv.lib.optionals withSelinux [ libselinux ]; #dontAddPrefix = true;