diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-03-27 10:29:23 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-27 10:29:23 +0100 |
commit | 00a43001d44b48ca239aeb4292a8609cdc228118 (patch) | |
tree | a3296e0fd457480d9ebd0e34c73d6967ca688a1a /pkgs/os-specific | |
parent | 41676002b28dc0e71306e309c2805438ed256517 (diff) | |
parent | eb828c68317908bf044a2110fc1625d47893edcc (diff) | |
download | nixlib-00a43001d44b48ca239aeb4292a8609cdc228118.tar nixlib-00a43001d44b48ca239aeb4292a8609cdc228118.tar.gz nixlib-00a43001d44b48ca239aeb4292a8609cdc228118.tar.bz2 nixlib-00a43001d44b48ca239aeb4292a8609cdc228118.tar.lz nixlib-00a43001d44b48ca239aeb4292a8609cdc228118.tar.xz nixlib-00a43001d44b48ca239aeb4292a8609cdc228118.tar.zst nixlib-00a43001d44b48ca239aeb4292a8609cdc228118.zip |
Merge pull request #36978 from xeji/selinux-2-7
SELinux libs and tools: 2.4 -> 2.7
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/linux/checkpolicy/default.nix | 13 | ||||
-rw-r--r-- | pkgs/os-specific/linux/libselinux/default.nix | 36 | ||||
-rw-r--r-- | pkgs/os-specific/linux/libsemanage/default.nix | 28 | ||||
-rw-r--r-- | pkgs/os-specific/linux/libsepol/default.nix | 9 | ||||
-rw-r--r-- | pkgs/os-specific/linux/policycoreutils/default.nix | 53 | ||||
-rw-r--r-- | pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch | 12 | ||||
-rw-r--r-- | pkgs/os-specific/linux/selinux-python/default.nix | 49 | ||||
-rw-r--r-- | pkgs/os-specific/linux/selinux-sandbox/default.nix | 61 | ||||
-rw-r--r-- | pkgs/os-specific/linux/setools/default.nix | 49 | ||||
-rw-r--r-- | pkgs/os-specific/linux/systemd/default.nix | 3 |
10 files changed, 184 insertions, 129 deletions
diff --git a/pkgs/os-specific/linux/checkpolicy/default.nix b/pkgs/os-specific/linux/checkpolicy/default.nix index 8e01bb2a5c80..6ea73c9ac6c3 100644 --- a/pkgs/os-specific/linux/checkpolicy/default.nix +++ b/pkgs/os-specific/linux/checkpolicy/default.nix @@ -2,27 +2,18 @@ stdenv.mkDerivation rec { name = "checkpolicy-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/checkpolicy-${version}.tar.gz"; - sha256 = "1m5wjm43lzp6bld8higsvdm2dkddydihhwv9qw2w9r4dm0largcv"; + sha256 = "009j9jc0hi4l7k8f21hn8fm25n0mqgzdpd4nk30nds6d3nglf4sl"; }; - # Don't build tests - postPatch = '' - sed '/-C test/d' -i Makefile - sed '1i#include <ctype.h>' -i checkpolicy.c - ''; - nativeBuildInputs = [ bison flex ]; buildInputs = [ libsepol ]; - NIX_CFLAGS_COMPILE = "-fstack-protector-all"; - preBuild = '' - makeFlagsArray+=("LEX=flex") makeFlagsArray+=("LIBDIR=${libsepol}/lib") makeFlagsArray+=("PREFIX=$out") ''; diff --git a/pkgs/os-specific/linux/libselinux/default.nix b/pkgs/os-specific/linux/libselinux/default.nix index 541ead7258f6..4ddc30102212 100644 --- a/pkgs/os-specific/linux/libselinux/default.nix +++ b/pkgs/os-specific/linux/libselinux/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, fetchpatch, pkgconfig, libsepol, pcre +{ stdenv, fetchurl, pcre, pkgconfig, libsepol , enablePython ? true, swig ? null, python ? null }: @@ -8,48 +8,34 @@ with stdenv.lib; stdenv.mkDerivation rec { name = "libselinux-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/libselinux-${version}.tar.gz"; - sha256 = "0yqg73ns97jwjh1iyv0jr5qxb8k5sqq5ywfkx11lzfn5yj8k0126"; + sha256 = "0mwcq78v6ngbq06xmb9dvilpg0jnl2vs9fgrpakhmmiskdvc1znh"; }; nativeBuildInputs = [ pkgconfig ]; buildInputs = [ libsepol pcre ] ++ optionals enablePython [ swig python ]; - # Avoid this false warning: - # avc_internal.c: In function 'avc_netlink_receive': - # avc_internal.c:105:25: error: cast increases required alignment of target type [-Werror=cast-align] - # struct nlmsghdr *nlh = (struct nlmsghdr *)buf; - # ^ - - NIX_CFLAGS_COMPILE = "-std=gnu89 -Wno-error=cast-align"; - - # Unreleased upstream patch that fixes Python package issue arising - # from recent SWIG changes. - patches = optional enablePython (fetchpatch { - name = "fix-python-swig.patch"; - url = "https://github.com/SELinuxProject/selinux/commit/a9604c30a5e2f71007d31aa6ba41cf7b95d94822.patch"; - sha256 = "0mjrclh0sd8m7vq0wvl6pg29ss415j3kn0266v8ixy4fprafagfp"; - stripLen = 1; - }); + # drop fortify here since package uses it by default, leading to compile error: + # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror] + hardeningDisable = [ "fortify" ]; postPatch = optionalString enablePython '' sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile - '' - + '' - sed '1i#include <sys/uio.h>' -i src/setrans_client.c ''; + # fix install locations preBuild = '' - # Build fails without this precreated - mkdir -p $out/include - makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("MAN3DIR=$out/share/man/man3") + makeFlagsArray+=("MAN5DIR=$out/share/man/man5") + makeFlagsArray+=("MAN8DIR=$out/share/man/man8") + makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages") ''; installTargets = [ "install" ] ++ optional enablePython "install-pywrap"; diff --git a/pkgs/os-specific/linux/libsemanage/default.nix b/pkgs/os-specific/linux/libsemanage/default.nix index 587349e4067e..45222bee6b00 100644 --- a/pkgs/os-specific/linux/libsemanage/default.nix +++ b/pkgs/os-specific/linux/libsemanage/default.nix @@ -1,31 +1,33 @@ -{ stdenv, fetchurl, bison, flex, libsepol, libselinux, ustr, bzip2, libaudit }: +{ stdenv, fetchurl, pkgconfig, bison, flex, libsepol, libselinux, bzip2, libaudit +, enablePython ? true, swig ? null, python ? null +}: + +with stdenv.lib; stdenv.mkDerivation rec { name = "libsemanage-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/libsemanage-${version}.tar.gz"; - sha256 = "1134ka4mi4387ac5yv68bpp2y7ln5xxhwp07xhqnay0nxzjaqk0s"; + sha256 = "0xnlp1yg8b1aqc6kq3pss1i1nl06rfj4x4pyl5blasnf2ivlgs87"; }; - nativeBuildInputs = [ bison flex ]; - buildInputs = [ libsepol libselinux ustr bzip2 libaudit ]; - - NIX_CFLAGS_COMPILE = [ - "-fstack-protector-all" - "-std=gnu89" - # these were added to fix build with gcc7. review on update - "-Wno-error=format-truncation" - "-Wno-error=implicit-fallthrough" - ]; + nativeBuildInputs = [ bison flex pkgconfig ]; + buildInputs = [ libsepol libselinux bzip2 libaudit ] + ++ optionals enablePython [ swig python ]; preBuild = '' makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("MAN3DIR=$out/share/man/man3") + makeFlagsArray+=("MAN5DIR=$out/share/man/man5") + makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages") ''; + installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ]; + meta = libsepol.meta // { description = "Policy management tools for SELinux"; license = stdenv.lib.licenses.lgpl21; diff --git a/pkgs/os-specific/linux/libsepol/default.nix b/pkgs/os-specific/linux/libsepol/default.nix index f7f393afb39d..59962e911d42 100644 --- a/pkgs/os-specific/linux/libsepol/default.nix +++ b/pkgs/os-specific/linux/libsepol/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "libsepol-${version}"; - version = "2.4"; - se_release = "20150202"; + version = "2.7"; + se_release = "20170804"; se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases"; src = fetchurl { url = "${se_url}/${se_release}/libsepol-${version}.tar.gz"; - sha256 = "0ncnwhpc1gx4hrrb822fqkwy5h75zzngsrfkd5mlqh1jk7aib419"; + sha256 = "1rzr90d3f1g5wy1b8sh6fgnqb9migys2zgpjmpakn6lhxkc3p7fn"; }; nativeBuildInputs = [ flex ]; @@ -16,9 +16,10 @@ stdenv.mkDerivation rec { preBuild = '' makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("MAN8DIR=$out/share/man/man8") + makeFlagsArray+=("MAN3DIR=$out/share/man/man3") ''; - NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ]; passthru = { inherit se_release se_url; }; diff --git a/pkgs/os-specific/linux/policycoreutils/default.nix b/pkgs/os-specific/linux/policycoreutils/default.nix index 536c69ff5573..d2f6371225fb 100644 --- a/pkgs/os-specific/linux/policycoreutils/default.nix +++ b/pkgs/os-specific/linux/policycoreutils/default.nix @@ -1,64 +1,33 @@ -{ stdenv, fetchurl, pythonPackages, gettext -, setools, libsepol, libselinux, libcap_ng, libsemanage, sepolgen -}: +{ stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }: stdenv.mkDerivation rec { name = "policycoreutils-${version}"; - version = "2.4"; + version = "2.7"; inherit (libsepol) se_release se_url; src = fetchurl { url = "${se_url}/${se_release}/policycoreutils-${version}.tar.gz"; - sha256 = "0y9l9k60iy21hj0lcvfdfxs1fxydg6d3pxp9rhy7hwr4y5vgh6dq"; + sha256 = "1x742c7lkw30namhkw87yg7z384qzqjz0pvmqs0lk19v6958l6qa"; }; - patches = [ ./fix-printf-type.patch ]; - postPatch = '' - # Fix references to libsepol.a - find . -name Makefile -exec sed -i 's,[^ ]*/libsepol.a,${libsepol}/lib/libsepol.a,g' {} \; - # Fix install references - substituteInPlace po/Makefile --replace /usr/bin/install install - - # Fix references to /usr/share - grep -r '/usr/share' | awk -F: '{print $1}' | xargs sed -i "s,\(\$(DESTDIR)\)*/usr/share,$out/share,g" - - # Fix sepolicy install - sed -i "s,\(setup.py install\).*,\1 --prefix=$out,g" sepolicy/Makefile - - # Fix setuid install - sed -i 's|-m 4755|-m 755|' sandbox/Makefile + substituteInPlace po/Makefile \ + --replace /usr/bin/install install --replace /usr/share /share + substituteInPlace newrole/Makefile --replace /usr/share /share ''; - nativeBuildInputs = [ pythonPackages.python gettext ]; - buildInputs = [ setools libsepol libselinux libcap_ng libsemanage ]; - pythonPath = [ libselinux sepolgen ]; + nativeBuildInputs = [ gettext ]; + buildInputs = [ libsepol libselinux libsemanage ]; preBuild = '' makeFlagsArray+=("PREFIX=$out") makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions") + makeFlagsArray+=("LOCALEDIR=$out/share/locale") + makeFlagsArray+=("MAN5DIR=$out/share/man/man5") ''; - # Creation of the system-config-selinux directory is broken - preInstall = '' - mkdir -p $out/share/system-config-selinux - ''; - - # Fix the python scripts to include paths to libraries - # NOTE: We are not using wrapPythonPrograms or makeWrapper as these scripts - # purge the environment as a security measure - postInstall = '' - grep -r '#!.*python' $out/bin | awk -F: '{print $1}' | xargs sed -i "1a \ - import sys; \ - sys.path.append('$(toPythonPath "$out")'); \ - ${stdenv.lib.flip stdenv.lib.concatMapStrings pythonPath (lib: '' - sys.path.append('$(toPythonPath "${lib}")'); \ - '')}" - ''; - - NIX_CFLAGS_COMPILE = "-fstack-protector-all"; - meta = with stdenv.lib; { description = "SELinux policy core utilities"; license = licenses.gpl2; diff --git a/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch b/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch deleted file mode 100644 index 6ab2d6dccc73..000000000000 --- a/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nru policycoreutils-2.4/setfiles/restore.c policycoreutils-2.4.new/setfiles/restore.c ---- policycoreutils-2.4/setfiles/restore.c 2015-02-02 09:38:10.000000000 -0500 -+++ policycoreutils-2.4.new/setfiles/restore.c 2015-08-29 20:44:13.693023222 -0400 -@@ -118,7 +118,7 @@ - r_opts->count++; - if (r_opts->count % STAR_COUNT == 0) { - if (r_opts->progress == 1) { -- fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT ); -+ fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT ); - } else { - if (r_opts->nfile > 0) { - progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100; diff --git a/pkgs/os-specific/linux/selinux-python/default.nix b/pkgs/os-specific/linux/selinux-python/default.nix new file mode 100644 index 000000000000..8ac207d64214 --- /dev/null +++ b/pkgs/os-specific/linux/selinux-python/default.nix @@ -0,0 +1,49 @@ +{ stdenv, fetchurl, python3 +, libselinux, libsemanage, libsepol, setools }: + +# this is python3 only because setools only supports python3 + +with stdenv.lib; +with python3.pkgs; + +stdenv.mkDerivation rec { + name = "selinux-python-${version}"; + version = "2.7"; + se_release = "20170804"; + se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases"; + + src = fetchurl { + url = "${se_url}/${se_release}/selinux-python-${version}.tar.gz"; + sha256 = "1va0y4b7cah7rprh04b3ylmwqgnivpkw5z2zw68nrafdbsbcn5s2"; + }; + + nativeBuildInputs = [ wrapPython ]; + buildInputs = [ libsepol python3 ]; + propagatedBuildInputs = [ libselinux libsemanage setools ipy ]; + + postPatch = '' + substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix" + ''; + + preBuild = '' + makeFlagsArray+=("PREFIX=$out") + makeFlagsArray+=("DESTDIR=$out") + makeFlagsArray+=("LOCALEDIR=$out/share/locale") + makeFlagsArray+=("LIBSEPOLA=${libsepol}/lib/libsepol.a") + makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions") + makeFlagsArray+=("PYTHON=${python3}/bin/python") + makeFlagsArray+=("PYTHONLIBDIR=lib/${python3.libPrefix}/site-packages") + ''; + + postFixup = '' + wrapPythonPrograms + ''; + + meta = { + description = "SELinux policy core utilities written in Python"; + license = licenses.gpl2; + homepage = https://selinuxproject.org; + platforms = platforms.linux; + }; +} + diff --git a/pkgs/os-specific/linux/selinux-sandbox/default.nix b/pkgs/os-specific/linux/selinux-sandbox/default.nix new file mode 100644 index 000000000000..71d2ee6e80af --- /dev/null +++ b/pkgs/os-specific/linux/selinux-sandbox/default.nix @@ -0,0 +1,61 @@ +{ stdenv, fetchurl, bash, coreutils, python3 +, libcap_ng, policycoreutils, selinux-python, dbus +, xorgserver, openbox, xmodmap }: + +# this is python3 only as it depends on selinux-python + +with stdenv.lib; +with python3.pkgs; + +stdenv.mkDerivation rec { + name = "selinux-sandbox-${version}"; + version = "2.7"; + se_release = "20170804"; + + src = fetchurl { + url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${se_release}/selinux-sandbox-${version}.tar.gz"; + sha256 = "0hf5chm90iapb42njaps6p5460ys3ajh5446ja544vdbh01n544l"; + }; + + nativeBuildInputs = [ wrapPython ]; + buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ]; + propagatedBuildInputs = [ pygobject3 selinux-python ]; + + postPatch = '' + # Fix setuid install + substituteInPlace Makefile --replace "-m 4755" "-m 755" + substituteInPlace sandboxX.sh \ + --replace "#!/bin/sh" "#!${bash}/bin/sh" \ + --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \ + --replace "/usr/bin/cut" "${coreutils}/bin/cut" \ + --replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \ + --replace "secon" "${policycoreutils}/bin/secon" + substituteInPlace sandbox \ + --replace "/usr/sbin/seunshare" "$out/bin/seunshare" \ + --replace "/usr/share/sandbox" "$out/share/sandbox" \ + --replace "/usr/share/locale" "${policycoreutils}/share/locale" \ + --replace "/usr/bin/openbox" "${openbox}/bin/openbox" \ + --replace "#!/bin/sh" "#!${bash}/bin/sh" \ + --replace "dbus-" "${dbus}/bin/dbus-" \ + --replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \ + --replace "/usr/bin/shred" "${coreutils}/bin/shred" \ + --replace "/usr/bin/test" "${coreutils}/bin/test" \ + ''; + + preBuild = '' + makeFlagsArray+=("PREFIX=$out") + makeFlagsArray+=("DESTDIR=$out") + ''; + + postFixup = '' + wrapPythonPrograms + ''; + + meta = { + description = "SELinux sandbox utility"; + license = licenses.gpl2; + homepage = https://selinuxproject.org; + platforms = platforms.linux; + }; +} + diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index 8262c03e1e52..9cb5785ca98f 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -1,35 +1,42 @@ -{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, bison, flex -, python, swig2, tcl, libsepol, libselinux, libxml2, sqlite, bzip2 }: +{ stdenv, fetchFromGitHub, bison, flex, python3 , swig +, libsepol, libselinux, checkpolicy +, withGraphics ? false +}: -stdenv.mkDerivation rec { - name = "setools-2015-02-12"; +with stdenv.lib; +with python3.pkgs; + +buildPythonApplication rec { + pname = "setools"; + version = "2017-11-10"; src = fetchFromGitHub { owner = "TresysTechnology"; - repo = "setools3"; - rev = "f1e5b208d507171968ca4d2eeefd7980f1004a3c"; - sha256 = "02gzy2kpszhr13f0d9qfiwh2hj4201g2x366j53v5n5qz481aykd"; + repo = pname; + rev = "a1aa0f33f5c428d3f9fe82960ed5de36f38047f7"; + sha256 = "0iyj35fff93cprjkzbkg9dn5xz8dg5h2kjx3476fl625nxxskndn"; }; - configureFlags = [ - "--disable-gui" - "--with-sepol-devel=${libsepol}" - "--with-selinux-devel=${libselinux}" - "--with-tcl=${tcl}/lib" - ]; + nativeBuildInputs = [ bison flex ]; + buildInputs = [ libsepol swig ]; + propagatedBuildInputs = [ enum34 libselinux networkx ] + ++ optionals withGraphics [ pyqt5 ]; - hardeningDisable = [ "format" ]; + checkInputs = [ tox checkpolicy ]; + preCheck = '' + export CHECKPOLICY=${checkpolicy}/bin/checkpolicy + ''; - NIX_CFLAGS_COMPILE = "-fstack-protector-all"; - NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; + setupPyBuildFlags = [ "-i" ]; - nativeBuildInputs = [ autoreconfHook pkgconfig python swig2 bison flex ]; - buildInputs = [ tcl libxml2 sqlite bzip2 ]; + preBuild = '' + export SEPOL="${libsepol}/lib/libsepol.a" + ''; meta = { description = "SELinux Tools"; - homepage = http://oss.tresys.com/projects/setools/; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.linux; + homepage = https://github.com/TresysTechnology/setools/wiki; + license = licenses.gpl2; + platforms = platforms.linux; }; } diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index a792283e70e1..d0f35d6736da 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -10,6 +10,7 @@ , getent , hostPlatform , buildPackages +, withSelinux ? false, libselinux }: assert stdenv.isLinux; @@ -44,7 +45,7 @@ in stdenv.mkDerivation rec { iptables gnu-efi # This is actually native, but we already pull it from buildPackages pythonLxmlEnv - ]; + ] ++ stdenv.lib.optionals withSelinux [ libselinux ]; #dontAddPrefix = true; |