SELinux libs and tools: 2.4 -> 2.7

pkgs/os-specific/linux/checkpolicy/default.nix

@@ -2,27 +2,18 @@
 
 stdenv.mkDerivation rec {
   name = "checkpolicy-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/checkpolicy-${version}.tar.gz";
-    sha256 = "1m5wjm43lzp6bld8higsvdm2dkddydihhwv9qw2w9r4dm0largcv";
+    sha256 = "009j9jc0hi4l7k8f21hn8fm25n0mqgzdpd4nk30nds6d3nglf4sl";
   };
 
-  # Don't build tests
-  postPatch = ''
-    sed '/-C test/d' -i Makefile
-    sed '1i#include <ctype.h>' -i checkpolicy.c
-  '';
-
   nativeBuildInputs = [ bison flex ];
   buildInputs = [ libsepol ];
 
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-
   preBuild = ''
-    makeFlagsArray+=("LEX=flex")
     makeFlagsArray+=("LIBDIR=${libsepol}/lib")
     makeFlagsArray+=("PREFIX=$out")
   '';

pkgs/os-specific/linux/libselinux/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, pkgconfig, libsepol, pcre
+{ stdenv, fetchurl, pcre, pkgconfig, libsepol
 , enablePython ? true, swig ? null, python ? null
 }:
 
@@ -8,48 +8,34 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "libselinux-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libselinux-${version}.tar.gz";
-    sha256 = "0yqg73ns97jwjh1iyv0jr5qxb8k5sqq5ywfkx11lzfn5yj8k0126";
+    sha256 = "0mwcq78v6ngbq06xmb9dvilpg0jnl2vs9fgrpakhmmiskdvc1znh";
   };
 
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ libsepol pcre ]
              ++ optionals enablePython [ swig python ];
 
-  # Avoid this false warning:
-  # avc_internal.c: In function 'avc_netlink_receive':
-  # avc_internal.c:105:25: error: cast increases required alignment of target type [-Werror=cast-align]
-  #  struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
-  #                         ^
-
-  NIX_CFLAGS_COMPILE = "-std=gnu89 -Wno-error=cast-align";
-
-  # Unreleased upstream patch that fixes Python package issue arising
-  # from recent SWIG changes.
-  patches = optional enablePython (fetchpatch {
-    name = "fix-python-swig.patch";
-    url = "https://github.com/SELinuxProject/selinux/commit/a9604c30a5e2f71007d31aa6ba41cf7b95d94822.patch";
-    sha256 = "0mjrclh0sd8m7vq0wvl6pg29ss415j3kn0266v8ixy4fprafagfp";
-    stripLen = 1;
-  });
+  # drop fortify here since package uses it by default, leading to compile error:
+  # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
+  hardeningDisable = [ "fortify" ];
 
   postPatch = optionalString enablePython ''
     sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile
-  ''
-  + ''
-    sed '1i#include <sys/uio.h>' -i src/setrans_client.c
   '';
 
+  # fix install locations
   preBuild = ''
-    # Build fails without this precreated
-    mkdir -p $out/include
-
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
+    makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
+    makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
   '';
 
   installTargets = [ "install" ] ++ optional enablePython "install-pywrap";

pkgs/os-specific/linux/libsemanage/default.nix

@@ -1,31 +1,33 @@
-{ stdenv, fetchurl, bison, flex, libsepol, libselinux, ustr, bzip2, libaudit }:
+{ stdenv, fetchurl, pkgconfig, bison, flex, libsepol, libselinux, bzip2, libaudit
+, enablePython ? true, swig ? null, python ? null
+}:
+
+with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "libsemanage-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libsemanage-${version}.tar.gz";
-    sha256 = "1134ka4mi4387ac5yv68bpp2y7ln5xxhwp07xhqnay0nxzjaqk0s";
+    sha256 = "0xnlp1yg8b1aqc6kq3pss1i1nl06rfj4x4pyl5blasnf2ivlgs87";
   };
 
-  nativeBuildInputs = [ bison flex ];
-  buildInputs = [ libsepol libselinux ustr bzip2 libaudit ];
-
-  NIX_CFLAGS_COMPILE = [
-    "-fstack-protector-all"
-    "-std=gnu89"
-    # these were added to fix build with gcc7. review on update
-    "-Wno-error=format-truncation"
-    "-Wno-error=implicit-fallthrough"
-  ];
+  nativeBuildInputs = [ bison flex pkgconfig ];
+  buildInputs = [ libsepol libselinux bzip2 libaudit ]
+    ++ optionals enablePython [ swig python ];
 
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
+    makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
   '';
 
+  installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
+
   meta = libsepol.meta // {
     description = "Policy management tools for SELinux";
     license = stdenv.lib.licenses.lgpl21;

pkgs/os-specific/linux/libsepol/default.nix

@@ -2,23 +2,24 @@
 
 stdenv.mkDerivation rec {
   name = "libsepol-${version}";
-  version = "2.4";
-  se_release = "20150202";
+  version = "2.7";
+  se_release = "20170804";
   se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libsepol-${version}.tar.gz";
-    sha256 = "0ncnwhpc1gx4hrrb822fqkwy5h75zzngsrfkd5mlqh1jk7aib419";
+    sha256 = "1rzr90d3f1g5wy1b8sh6fgnqb9migys2zgpjmpakn6lhxkc3p7fn";
   };
 
   nativeBuildInputs = [ flex ];
 
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
   '';
 
-  NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ];
 
   passthru = { inherit se_release se_url; };
 

pkgs/os-specific/linux/policycoreutils/default.nix

@@ -1,64 +1,33 @@
-{ stdenv, fetchurl, pythonPackages, gettext
-, setools, libsepol, libselinux, libcap_ng, libsemanage, sepolgen
-}:
+{ stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }:
 
 stdenv.mkDerivation rec {
   name = "policycoreutils-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/policycoreutils-${version}.tar.gz";
-    sha256 = "0y9l9k60iy21hj0lcvfdfxs1fxydg6d3pxp9rhy7hwr4y5vgh6dq";
+    sha256 = "1x742c7lkw30namhkw87yg7z384qzqjz0pvmqs0lk19v6958l6qa";
   };
 
-  patches = [ ./fix-printf-type.patch ];
-
   postPatch = ''
-    # Fix references to libsepol.a
-    find . -name Makefile -exec sed -i 's,[^ ]*/libsepol.a,${libsepol}/lib/libsepol.a,g' {} \;
-
     # Fix install references
-    substituteInPlace po/Makefile --replace /usr/bin/install install
-
-    # Fix references to /usr/share
-    grep -r '/usr/share' | awk -F: '{print $1}' | xargs sed -i "s,\(\$(DESTDIR)\)*/usr/share,$out/share,g"
-
-    # Fix sepolicy install
-    sed -i "s,\(setup.py install\).*,\1 --prefix=$out,g" sepolicy/Makefile
-
-    # Fix setuid install
-    sed -i 's|-m 4755|-m 755|' sandbox/Makefile
+    substituteInPlace po/Makefile \
+       --replace /usr/bin/install install --replace /usr/share /share
+    substituteInPlace newrole/Makefile --replace /usr/share /share
   '';
 
-  nativeBuildInputs = [ pythonPackages.python gettext ];
-  buildInputs = [ setools libsepol libselinux libcap_ng libsemanage ];
-  pythonPath = [ libselinux sepolgen ];
+  nativeBuildInputs = [ gettext ];
+  buildInputs = [ libsepol libselinux libsemanage ];
 
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
+    makeFlagsArray+=("LOCALEDIR=$out/share/locale")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
   '';
 
-  # Creation of the system-config-selinux directory is broken
-  preInstall = ''
-    mkdir -p $out/share/system-config-selinux
-  '';
-
-  # Fix the python scripts to include paths to libraries
-  # NOTE: We are not using wrapPythonPrograms or makeWrapper as these scripts
-  # purge the environment as a security measure
-  postInstall = ''
-    grep -r '#!.*python' $out/bin | awk -F: '{print $1}' | xargs sed -i "1a \
-    import sys; \
-    sys.path.append('$(toPythonPath "$out")'); \
-    ${stdenv.lib.flip stdenv.lib.concatMapStrings pythonPath (lib: ''
-      sys.path.append('$(toPythonPath "${lib}")'); \
-    '')}"
-  '';
-
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-
   meta = with stdenv.lib; {
     description = "SELinux policy core utilities";
     license = licenses.gpl2;

pkgs/os-specific/linux/selinux-python/default.nix

@@ -0,0 +1,49 @@
+{ stdenv, fetchurl, python3
+, libselinux, libsemanage, libsepol, setools }:
+
+# this is python3 only because setools only supports python3
+
+with stdenv.lib;
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  name = "selinux-python-${version}";
+  version = "2.7";
+  se_release = "20170804";
+  se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
+
+  src = fetchurl {
+    url = "${se_url}/${se_release}/selinux-python-${version}.tar.gz";
+    sha256 = "1va0y4b7cah7rprh04b3ylmwqgnivpkw5z2zw68nrafdbsbcn5s2";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ libsepol python3 ];
+  propagatedBuildInputs = [ libselinux libsemanage setools ipy ];
+
+  postPatch = ''
+    substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix"
+  '';
+
+  preBuild = ''
+    makeFlagsArray+=("PREFIX=$out")
+    makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("LOCALEDIR=$out/share/locale")
+    makeFlagsArray+=("LIBSEPOLA=${libsepol}/lib/libsepol.a")
+    makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
+    makeFlagsArray+=("PYTHON=${python3}/bin/python")
+    makeFlagsArray+=("PYTHONLIBDIR=lib/${python3.libPrefix}/site-packages")
+  '';
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux policy core utilities written in Python";
+    license = licenses.gpl2;
+    homepage = https://selinuxproject.org;
+    platforms = platforms.linux;
+  };
+}
+

pkgs/os-specific/linux/selinux-sandbox/default.nix

@@ -0,0 +1,61 @@
+{ stdenv, fetchurl, bash, coreutils, python3
+, libcap_ng, policycoreutils, selinux-python, dbus
+, xorgserver, openbox, xmodmap }:
+
+# this is python3 only as it depends on selinux-python
+
+with stdenv.lib; 
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  name = "selinux-sandbox-${version}";
+  version = "2.7";
+  se_release = "20170804";
+
+  src = fetchurl {
+    url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${se_release}/selinux-sandbox-${version}.tar.gz";
+    sha256 = "0hf5chm90iapb42njaps6p5460ys3ajh5446ja544vdbh01n544l";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ];
+  propagatedBuildInputs = [ pygobject3 selinux-python ];
+
+  postPatch = ''
+    # Fix setuid install
+    substituteInPlace Makefile --replace "-m 4755" "-m 755"
+    substituteInPlace sandboxX.sh \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \
+      --replace "/usr/bin/cut" "${coreutils}/bin/cut" \
+      --replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \
+      --replace "secon" "${policycoreutils}/bin/secon"
+    substituteInPlace sandbox \
+      --replace "/usr/sbin/seunshare" "$out/bin/seunshare" \
+      --replace "/usr/share/sandbox" "$out/share/sandbox" \
+      --replace "/usr/share/locale" "${policycoreutils}/share/locale" \
+      --replace "/usr/bin/openbox" "${openbox}/bin/openbox" \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "dbus-" "${dbus}/bin/dbus-" \
+      --replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \
+      --replace "/usr/bin/shred" "${coreutils}/bin/shred" \
+      --replace "/usr/bin/test" "${coreutils}/bin/test" \
+  '';
+
+  preBuild = ''
+    makeFlagsArray+=("PREFIX=$out")
+    makeFlagsArray+=("DESTDIR=$out")
+  '';
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux sandbox utility";
+    license = licenses.gpl2;
+    homepage = https://selinuxproject.org;
+    platforms = platforms.linux;
+  };
+}
+