public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #36978 from xeji/selinux-2-7

Browse Source 
SELinux libs and tools: 2.4 -> 2.7
This commit is contained in:
Jörg Thalheim 2018-03-27 10:29:23 +01:00 committed by GitHub
commit 00a43001d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 191 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkgs/os-specific/linux/checkpolicy/default.nix
View File

@ -2,27 +2,18 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "checkpolicy-${version}"; name = "checkpolicy-${version}";
version = "2.4"; version = "2.7";
inherit (libsepol) se_release se_url; inherit (libsepol) se_release se_url;
src = fetchurl { src = fetchurl {
url = "${se_url}/${se_release}/checkpolicy-${version}.tar.gz"; url = "${se_url}/${se_release}/checkpolicy-${version}.tar.gz";
sha256 = "1m5wjm43lzp6bld8higsvdm2dkddydihhwv9qw2w9r4dm0largcv"; sha256 = "009j9jc0hi4l7k8f21hn8fm25n0mqgzdpd4nk30nds6d3nglf4sl";
}; };
# Don't build tests
postPatch = ''
sed '/-C test/d' -i Makefile
sed '1i#include <ctype.h>' -i checkpolicy.c
'';
nativeBuildInputs = [ bison flex ]; nativeBuildInputs = [ bison flex ];
buildInputs = [ libsepol ]; buildInputs = [ libsepol ];
NIX_CFLAGS_COMPILE = "-fstack-protector-all";
preBuild = '' preBuild = ''
makeFlagsArray+=("LEX=flex")
makeFlagsArray+=("LIBDIR=${libsepol}/lib") makeFlagsArray+=("LIBDIR=${libsepol}/lib")
makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("PREFIX=$out")
''; '';

36
pkgs/os-specific/linux/libselinux/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, fetchpatch, pkgconfig, libsepol, pcre { stdenv, fetchurl, pcre, pkgconfig, libsepol
, enablePython ? true, swig ? null, python ? null , enablePython ? true, swig ? null, python ? null
}: }:
@ -8,48 +8,34 @@ with stdenv.lib;
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "libselinux-${version}"; name = "libselinux-${version}";
version = "2.4"; version = "2.7";
inherit (libsepol) se_release se_url; inherit (libsepol) se_release se_url;
src = fetchurl { src = fetchurl {
url = "${se_url}/${se_release}/libselinux-${version}.tar.gz"; url = "${se_url}/${se_release}/libselinux-${version}.tar.gz";
sha256 = "0yqg73ns97jwjh1iyv0jr5qxb8k5sqq5ywfkx11lzfn5yj8k0126"; sha256 = "0mwcq78v6ngbq06xmb9dvilpg0jnl2vs9fgrpakhmmiskdvc1znh";
}; };
nativeBuildInputs = [ pkgconfig ]; nativeBuildInputs = [ pkgconfig ];
buildInputs = [ libsepol pcre ] buildInputs = [ libsepol pcre ]
++ optionals enablePython [ swig python ]; ++ optionals enablePython [ swig python ];
# Avoid this false warning: # drop fortify here since package uses it by default, leading to compile error:
# avc_internal.c: In function 'avc_netlink_receive': # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
# avc_internal.c:105:25: error: cast increases required alignment of target type [-Werror=cast-align] hardeningDisable = [ "fortify" ];
# struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
# ^
NIX_CFLAGS_COMPILE = "-std=gnu89 -Wno-error=cast-align";
# Unreleased upstream patch that fixes Python package issue arising
# from recent SWIG changes.
patches = optional enablePython (fetchpatch {
name = "fix-python-swig.patch";
url = "https://github.com/SELinuxProject/selinux/commit/a9604c30a5e2f71007d31aa6ba41cf7b95d94822.patch";
sha256 = "0mjrclh0sd8m7vq0wvl6pg29ss415j3kn0266v8ixy4fprafagfp";
stripLen = 1;
});
postPatch = optionalString enablePython '' postPatch = optionalString enablePython ''
sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile
''
+ ''
sed '1i#include <sys/uio.h>' -i src/setrans_client.c
''; '';
# fix install locations
preBuild = '' preBuild = ''
# Build fails without this precreated
mkdir -p $out/include
makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("PREFIX=$out")
makeFlagsArray+=("DESTDIR=$out") makeFlagsArray+=("DESTDIR=$out")
makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
''; '';
installTargets = [ "install" ] ++ optional enablePython "install-pywrap"; installTargets = [ "install" ] ++ optional enablePython "install-pywrap";

28
pkgs/os-specific/linux/libsemanage/default.nix
View File

@ -1,31 +1,33 @@
{ stdenv, fetchurl, bison, flex, libsepol, libselinux, ustr, bzip2, libaudit }: { stdenv, fetchurl, pkgconfig, bison, flex, libsepol, libselinux, bzip2, libaudit
, enablePython ? true, swig ? null, python ? null
}:
with stdenv.lib;
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "libsemanage-${version}"; name = "libsemanage-${version}";
version = "2.4"; version = "2.7";
inherit (libsepol) se_release se_url; inherit (libsepol) se_release se_url;
src = fetchurl { src = fetchurl {
url = "${se_url}/${se_release}/libsemanage-${version}.tar.gz"; url = "${se_url}/${se_release}/libsemanage-${version}.tar.gz";
sha256 = "1134ka4mi4387ac5yv68bpp2y7ln5xxhwp07xhqnay0nxzjaqk0s"; sha256 = "0xnlp1yg8b1aqc6kq3pss1i1nl06rfj4x4pyl5blasnf2ivlgs87";
}; };
nativeBuildInputs = [ bison flex ]; nativeBuildInputs = [ bison flex pkgconfig ];
buildInputs = [ libsepol libselinux ustr bzip2 libaudit ]; buildInputs = [ libsepol libselinux bzip2 libaudit ]
++ optionals enablePython [ swig python ];
NIX_CFLAGS_COMPILE = [
"-fstack-protector-all"
"-std=gnu89"
# these were added to fix build with gcc7. review on update
"-Wno-error=format-truncation"
"-Wno-error=implicit-fallthrough"
];
preBuild = '' preBuild = ''
makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("PREFIX=$out")
makeFlagsArray+=("DESTDIR=$out") makeFlagsArray+=("DESTDIR=$out")
makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
''; '';
installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
meta = libsepol.meta // { meta = libsepol.meta // {
description = "Policy management tools for SELinux"; description = "Policy management tools for SELinux";
license = stdenv.lib.licenses.lgpl21; license = stdenv.lib.licenses.lgpl21;

9
pkgs/os-specific/linux/libsepol/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "libsepol-${version}"; name = "libsepol-${version}";
version = "2.4"; version = "2.7";
se_release = "20150202"; se_release = "20170804";
se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases"; se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
src = fetchurl { src = fetchurl {
url = "${se_url}/${se_release}/libsepol-${version}.tar.gz"; url = "${se_url}/${se_release}/libsepol-${version}.tar.gz";
sha256 = "0ncnwhpc1gx4hrrb822fqkwy5h75zzngsrfkd5mlqh1jk7aib419"; sha256 = "1rzr90d3f1g5wy1b8sh6fgnqb9migys2zgpjmpakn6lhxkc3p7fn";
}; };
nativeBuildInputs = [ flex ]; nativeBuildInputs = [ flex ];
@ -16,9 +16,10 @@ stdenv.mkDerivation rec {
preBuild = '' preBuild = ''
makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("PREFIX=$out")
makeFlagsArray+=("DESTDIR=$out") makeFlagsArray+=("DESTDIR=$out")
makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
''; '';
NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ];
passthru = { inherit se_release se_url; }; passthru = { inherit se_release se_url; };

53
pkgs/os-specific/linux/policycoreutils/default.nix
View File

@ -1,64 +1,33 @@
{ stdenv, fetchurl, pythonPackages, gettext { stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }:
, setools, libsepol, libselinux, libcap_ng, libsemanage, sepolgen
}:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "policycoreutils-${version}"; name = "policycoreutils-${version}";
version = "2.4"; version = "2.7";
inherit (libsepol) se_release se_url; inherit (libsepol) se_release se_url;
src = fetchurl { src = fetchurl {
url = "${se_url}/${se_release}/policycoreutils-${version}.tar.gz"; url = "${se_url}/${se_release}/policycoreutils-${version}.tar.gz";
sha256 = "0y9l9k60iy21hj0lcvfdfxs1fxydg6d3pxp9rhy7hwr4y5vgh6dq"; sha256 = "1x742c7lkw30namhkw87yg7z384qzqjz0pvmqs0lk19v6958l6qa";
}; };
patches = [ ./fix-printf-type.patch ];
postPatch = '' postPatch = ''
# Fix references to libsepol.a
find . -name Makefile -exec sed -i 's,[^ ]*/libsepol.a,${libsepol}/lib/libsepol.a,g' {} \;
# Fix install references # Fix install references
substituteInPlace po/Makefile --replace /usr/bin/install install substituteInPlace po/Makefile \
--replace /usr/bin/install install --replace /usr/share /share
# Fix references to /usr/share substituteInPlace newrole/Makefile --replace /usr/share /share
grep -r '/usr/share' | awk -F: '{print $1}' | xargs sed -i "s,\(\$(DESTDIR)\)*/usr/share,$out/share,g"
# Fix sepolicy install
sed -i "s,\(setup.py install\).*,\1 --prefix=$out,g" sepolicy/Makefile
# Fix setuid install
sed -i 's|-m 4755|-m 755|' sandbox/Makefile
''; '';
nativeBuildInputs = [ pythonPackages.python gettext ]; nativeBuildInputs = [ gettext ];
buildInputs = [ setools libsepol libselinux libcap_ng libsemanage ]; buildInputs = [ libsepol libselinux libsemanage ];
pythonPath = [ libselinux sepolgen ];
preBuild = '' preBuild = ''
makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("PREFIX=$out")
makeFlagsArray+=("DESTDIR=$out") makeFlagsArray+=("DESTDIR=$out")
makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
makeFlagsArray+=("LOCALEDIR=$out/share/locale")
makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
''; '';
# Creation of the system-config-selinux directory is broken
preInstall = ''
mkdir -p $out/share/system-config-selinux
'';
# Fix the python scripts to include paths to libraries
# NOTE: We are not using wrapPythonPrograms or makeWrapper as these scripts
# purge the environment as a security measure
postInstall = ''
grep -r '#!.*python' $out/bin | awk -F: '{print $1}' | xargs sed -i "1a \
import sys; \
sys.path.append('$(toPythonPath "$out")'); \
${stdenv.lib.flip stdenv.lib.concatMapStrings pythonPath (lib: ''
sys.path.append('$(toPythonPath "${lib}")'); \
'')}"
'';
NIX_CFLAGS_COMPILE = "-fstack-protector-all";
meta = with stdenv.lib; { meta = with stdenv.lib; {
description = "SELinux policy core utilities"; description = "SELinux policy core utilities";
license = licenses.gpl2; license = licenses.gpl2;

12
pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch
View File

@ -1,12 +0,0 @@
diff -Nru policycoreutils-2.4/setfiles/restore.c policycoreutils-2.4.new/setfiles/restore.c
--- policycoreutils-2.4/setfiles/restore.c 2015-02-02 09:38:10.000000000 -0500
+++ policycoreutils-2.4.new/setfiles/restore.c 2015-08-29 20:44:13.693023222 -0400
@@ -118,7 +118,7 @@
r_opts->count++;
if (r_opts->count % STAR_COUNT == 0) {
if (r_opts->progress == 1) {
- fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT );
+ fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT );
} else {
if (r_opts->nfile > 0) {
progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100;

49
pkgs/os-specific/linux/selinux-python/default.nix Normal file
View File

@ -0,0 +1,49 @@
{ stdenv, fetchurl, python3
, libselinux, libsemanage, libsepol, setools }:
# this is python3 only because setools only supports python3
with stdenv.lib;
with python3.pkgs;
stdenv.mkDerivation rec {
name = "selinux-python-${version}";
version = "2.7";
se_release = "20170804";
se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
src = fetchurl {
url = "${se_url}/${se_release}/selinux-python-${version}.tar.gz";
sha256 = "1va0y4b7cah7rprh04b3ylmwqgnivpkw5z2zw68nrafdbsbcn5s2";
};
nativeBuildInputs = [ wrapPython ];
buildInputs = [ libsepol python3 ];
propagatedBuildInputs = [ libselinux libsemanage setools ipy ];
postPatch = ''
substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix"
'';
preBuild = ''
makeFlagsArray+=("PREFIX=$out")
makeFlagsArray+=("DESTDIR=$out")
makeFlagsArray+=("LOCALEDIR=$out/share/locale")
makeFlagsArray+=("LIBSEPOLA=${libsepol}/lib/libsepol.a")
makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
makeFlagsArray+=("PYTHON=${python3}/bin/python")
makeFlagsArray+=("PYTHONLIBDIR=lib/${python3.libPrefix}/site-packages")
'';
postFixup = ''
wrapPythonPrograms
'';
meta = {
description = "SELinux policy core utilities written in Python";
license = licenses.gpl2;
homepage = https://selinuxproject.org;
platforms = platforms.linux;
};
}

61
pkgs/os-specific/linux/selinux-sandbox/default.nix Normal file
View File

@ -0,0 +1,61 @@
{ stdenv, fetchurl, bash, coreutils, python3
, libcap_ng, policycoreutils, selinux-python, dbus
, xorgserver, openbox, xmodmap }:
# this is python3 only as it depends on selinux-python
with stdenv.lib;
with python3.pkgs;
stdenv.mkDerivation rec {
name = "selinux-sandbox-${version}";
version = "2.7";
se_release = "20170804";
src = fetchurl {
url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${se_release}/selinux-sandbox-${version}.tar.gz";
sha256 = "0hf5chm90iapb42njaps6p5460ys3ajh5446ja544vdbh01n544l";
};
nativeBuildInputs = [ wrapPython ];
buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ];
propagatedBuildInputs = [ pygobject3 selinux-python ];
postPatch = ''
# Fix setuid install
substituteInPlace Makefile --replace "-m 4755" "-m 755"
substituteInPlace sandboxX.sh \
--replace "#!/bin/sh" "#!${bash}/bin/sh" \
--replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \
--replace "/usr/bin/cut" "${coreutils}/bin/cut" \
--replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \
--replace "secon" "${policycoreutils}/bin/secon"
substituteInPlace sandbox \
--replace "/usr/sbin/seunshare" "$out/bin/seunshare" \
--replace "/usr/share/sandbox" "$out/share/sandbox" \
--replace "/usr/share/locale" "${policycoreutils}/share/locale" \
--replace "/usr/bin/openbox" "${openbox}/bin/openbox" \
--replace "#!/bin/sh" "#!${bash}/bin/sh" \
--replace "dbus-" "${dbus}/bin/dbus-" \
--replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \
--replace "/usr/bin/shred" "${coreutils}/bin/shred" \
--replace "/usr/bin/test" "${coreutils}/bin/test" \
'';
preBuild = ''
makeFlagsArray+=("PREFIX=$out")
makeFlagsArray+=("DESTDIR=$out")
'';
postFixup = ''
wrapPythonPrograms
'';
meta = {
description = "SELinux sandbox utility";
license = licenses.gpl2;
homepage = https://selinuxproject.org;
platforms = platforms.linux;
};
}

49
pkgs/os-specific/linux/setools/default.nix
View File

@ -1,35 +1,42 @@
{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, bison, flex { stdenv, fetchFromGitHub, bison, flex, python3 , swig
, python, swig2, tcl, libsepol, libselinux, libxml2, sqlite, bzip2 }: , libsepol, libselinux, checkpolicy
, withGraphics ? false
}:
stdenv.mkDerivation rec { with stdenv.lib;
name = "setools-2015-02-12"; with python3.pkgs;
buildPythonApplication rec {
pname = "setools";
version = "2017-11-10";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "TresysTechnology"; owner = "TresysTechnology";
repo = "setools3"; repo = pname;
rev = "f1e5b208d507171968ca4d2eeefd7980f1004a3c"; rev = "a1aa0f33f5c428d3f9fe82960ed5de36f38047f7";
sha256 = "02gzy2kpszhr13f0d9qfiwh2hj4201g2x366j53v5n5qz481aykd"; sha256 = "0iyj35fff93cprjkzbkg9dn5xz8dg5h2kjx3476fl625nxxskndn";
}; };
configureFlags = [ nativeBuildInputs = [ bison flex ];
"--disable-gui" buildInputs = [ libsepol swig ];
"--with-sepol-devel=${libsepol}" propagatedBuildInputs = [ enum34 libselinux networkx ]
"--with-selinux-devel=${libselinux}" ++ optionals withGraphics [ pyqt5 ];
"--with-tcl=${tcl}/lib"
];
hardeningDisable = [ "format" ]; checkInputs = [ tox checkpolicy ];
preCheck = ''
export CHECKPOLICY=${checkpolicy}/bin/checkpolicy
'';
NIX_CFLAGS_COMPILE = "-fstack-protector-all"; setupPyBuildFlags = [ "-i" ];
NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib";
nativeBuildInputs = [ autoreconfHook pkgconfig python swig2 bison flex ]; preBuild = ''
buildInputs = [ tcl libxml2 sqlite bzip2 ]; export SEPOL="${libsepol}/lib/libsepol.a"
'';
meta = { meta = {
description = "SELinux Tools"; description = "SELinux Tools";
homepage = http://oss.tresys.com/projects/setools/; homepage = https://github.com/TresysTechnology/setools/wiki;
license = stdenv.lib.licenses.gpl2; license = licenses.gpl2;
platforms = stdenv.lib.platforms.linux; platforms = platforms.linux;
}; };
} }

3
pkgs/os-specific/linux/systemd/default.nix
View File

@ -10,6 +10,7 @@
, getent , getent
, hostPlatform , hostPlatform
, buildPackages , buildPackages
, withSelinux ? false, libselinux
}: }:
assert stdenv.isLinux; assert stdenv.isLinux;
@ -44,7 +45,7 @@ in stdenv.mkDerivation rec {
iptables gnu-efi iptables gnu-efi
# This is actually native, but we already pull it from buildPackages # This is actually native, but we already pull it from buildPackages
pythonLxmlEnv pythonLxmlEnv
]; ] ++ stdenv.lib.optionals withSelinux [ libselinux ];
#dontAddPrefix = true; #dontAddPrefix = true;

7
pkgs/top-level/all-packages.nix
View File

@ -11393,6 +11393,8 @@ with pkgs;
sblim-sfcc = callPackage ../development/libraries/sblim-sfcc {}; sblim-sfcc = callPackage ../development/libraries/sblim-sfcc {};
selinux-sandbox = callPackage ../os-specific/linux/selinux-sandbox { };
serd = callPackage ../development/libraries/serd {}; serd = callPackage ../development/libraries/serd {};
serf = callPackage ../development/libraries/serf {}; serf = callPackage ../development/libraries/serf {};
@ -20704,6 +20706,11 @@ with pkgs;
seafile-shared = callPackage ../misc/seafile-shared { }; seafile-shared = callPackage ../misc/seafile-shared { };
serviio = callPackage ../servers/serviio {}; serviio = callPackage ../servers/serviio {};
selinux-python = callPackage ../os-specific/linux/selinux-python {
# needs python3 bindings
libselinux = libselinux.override { python = python3; };
libsemanage = libsemanage.override { python = python3; };
};
slock = callPackage ../misc/screensavers/slock { slock = callPackage ../misc/screensavers/slock {
conf = config.slock.conf or null; conf = config.slock.conf or null;