Commit | Line | Data |
---|---|---|
f269ad25 | 1 | ;;; GNU Guix --- Functional package management for GNU |
ca56021c | 2 | ;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net> |
bb6c3d23 | 3 | ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> |
0d79288f | 4 | ;;; Copyright © 2019, 2020, 2022 Marius Bakke <marius@gnu.org> |
545aeb70 | 5 | ;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il> |
5b0d7819 | 6 | ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> |
f269ad25 RW |
7 | ;;; |
8 | ;;; This file is part of GNU Guix. | |
9 | ;;; | |
10 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
11 | ;;; under the terms of the GNU General Public License as published by | |
12 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
13 | ;;; your option) any later version. | |
14 | ;;; | |
15 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
16 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ;;; GNU General Public License for more details. | |
19 | ;;; | |
20 | ;;; You should have received a copy of the GNU General Public License | |
21 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
22 | ||
23 | (define-module (gnu packages selinux) | |
24 | #:use-module ((guix licenses) #:prefix license:) | |
25 | #:use-module (guix packages) | |
86084aa4 | 26 | #:use-module (guix gexp) |
f269ad25 | 27 | #:use-module (guix download) |
ca56021c | 28 | #:use-module (guix git-download) |
f269ad25 RW |
29 | #:use-module (guix utils) |
30 | #:use-module (guix build-system gnu) | |
4724d729 | 31 | #:use-module (guix build-system python) |
f269ad25 | 32 | #:use-module (gnu packages) |
32be6601 | 33 | #:use-module (gnu packages admin) |
66af08fb | 34 | #:use-module (gnu packages bison) |
c837027d | 35 | #:use-module (gnu packages docbook) |
4724d729 | 36 | #:use-module (gnu packages flex) |
6ef94ecb RW |
37 | #:use-module (gnu packages gettext) |
38 | #:use-module (gnu packages glib) | |
39 | #:use-module (gnu packages linux) | |
40 | #:use-module (gnu packages networking) | |
4724d729 RW |
41 | #:use-module (gnu packages pcre) |
42 | #:use-module (gnu packages pkg-config) | |
43 | #:use-module (gnu packages python) | |
44d10b1f | 44 | #:use-module (gnu packages python-xyz) |
d1c3de65 | 45 | #:use-module (gnu packages qt) |
32be6601 | 46 | #:use-module (gnu packages swig) |
c837027d | 47 | #:use-module (gnu packages xml)) |
f269ad25 RW |
48 | |
49 | ;; Update the SELinux packages together! | |
50 | ||
51 | (define-public libsepol | |
52 | (package | |
53 | (name "libsepol") | |
0d79288f | 54 | (version "3.4") |
545aeb70 EF |
55 | (source (origin |
56 | (method git-fetch) | |
57 | (uri (git-reference | |
d7278e40 MB |
58 | (url "https://github.com/SELinuxProject/selinux") |
59 | (commit version))) | |
545aeb70 EF |
60 | (file-name (git-file-name "selinux" version)) |
61 | (sha256 | |
62 | (base32 | |
0d79288f | 63 | "1lcmgmfr0q7g5cwg6b7jm6ncw8cw6c1jblkm93v1g37bfhcgrqc0")))) |
f269ad25 RW |
64 | (build-system gnu-build-system) |
65 | (arguments | |
d7278e40 MB |
66 | (list |
67 | #:tests? #f ; tests require checkpolicy, which requires libsepol | |
68 | #:test-target "test" | |
69 | #:make-flags | |
70 | #~(let ((out #$output)) | |
71 | (list (string-append "PREFIX=" out) | |
72 | (string-append "SHLIBDIR=" out "/lib") | |
73 | (string-append "MAN3DIR=" out "/share/man/man3") | |
74 | (string-append "MAN5DIR=" out "/share/man/man5") | |
75 | (string-append "MAN8DIR=" out "/share/man/man8") | |
76 | (string-append "CFLAGS=-Wno-error") | |
77 | (string-append "LDFLAGS=-Wl,-rpath=" out "/lib") | |
78 | (string-append "CC=" #$(cc-for-target)))) | |
79 | #:phases | |
80 | #~(modify-phases %standard-phases | |
81 | (delete 'configure) | |
82 | (add-after 'unpack 'enter-dir | |
83 | (lambda _ (chdir #$name))) | |
84 | (add-after 'enter-dir 'portability | |
85 | (lambda _ | |
86 | (substitute* "src/ibpkeys.c" | |
87 | (("#include \"ibpkey_internal.h\"" line) | |
88 | (string-append line "\n#include <inttypes.h>\n")) | |
89 | (("%#lx") "%#\" PRIx64 \""))))))) | |
f269ad25 | 90 | (native-inputs |
8394619b | 91 | (list flex)) |
f269ad25 RW |
92 | (home-page "https://selinuxproject.org/") |
93 | (synopsis "Library for manipulating SELinux policies") | |
94 | (description | |
95 | "The libsepol library provides an API for the manipulation of SELinux | |
96 | binary policies. It is used by @code{checkpolicy} (the policy compiler) and | |
97 | similar tools, and programs such as @code{load_policy}, which must perform | |
98 | specific transformations on binary policies (for example, customizing policy | |
99 | boolean settings).") | |
100 | (license license:lgpl2.1+))) | |
66af08fb RW |
101 | |
102 | (define-public checkpolicy | |
1a265842 | 103 | (package/inherit libsepol |
66af08fb RW |
104 | (name "checkpolicy") |
105 | (arguments | |
86084aa4 MB |
106 | (list |
107 | #:tests? #f ; there is no check target | |
108 | #:make-flags | |
109 | #~(list (string-append "PREFIX=" #$output) | |
110 | (string-append "LIBSEPOLA=" | |
111 | (search-input-file %build-inputs | |
112 | "/lib/libsepol.a")) | |
113 | (string-append "CC=" #$(cc-for-target))) | |
114 | #:phases | |
115 | #~(modify-phases %standard-phases | |
116 | (delete 'configure) | |
117 | (delete 'portability) | |
118 | (add-after 'unpack 'enter-dir | |
119 | (lambda _ (chdir #$name)))))) | |
66af08fb | 120 | (inputs |
86084aa4 | 121 | (list libsepol)) |
66af08fb | 122 | (native-inputs |
86084aa4 | 123 | (list bison flex)) |
66af08fb RW |
124 | (synopsis "Check SELinux security policy configurations and modules") |
125 | (description | |
126 | "This package provides the tools \"checkpolicy\" and \"checkmodule\". | |
127 | Checkpolicy is a program that checks and compiles a SELinux security policy | |
128 | configuration into a binary representation that can be loaded into the kernel. | |
129 | Checkmodule is a program that checks and compiles a SELinux security policy | |
130 | module into a binary representation.") | |
131 | ;; GPLv2 only | |
132 | (license license:gpl2))) | |
4724d729 RW |
133 | |
134 | (define-public libselinux | |
1a265842 | 135 | (package/inherit libsepol |
4724d729 | 136 | (name "libselinux") |
568d0603 | 137 | (outputs '("out" "python")) |
4724d729 RW |
138 | (arguments |
139 | (substitute-keyword-arguments (package-arguments libsepol) | |
140 | ((#:make-flags flags) | |
54f14833 MB |
141 | #~(cons* "PYTHON=python3" |
142 | (string-append "LIBSEPOLA=" | |
143 | (search-input-file %build-inputs | |
144 | "/lib/libsepol.a")) | |
145 | (string-append "PYTHONLIBDIR=" | |
146 | #$output:python | |
147 | "/lib/python" | |
148 | #$(version-major+minor (package-version python)) | |
149 | "/site-packages/") | |
150 | #$flags)) | |
4724d729 | 151 | ((#:phases phases) |
54f14833 MB |
152 | #~(modify-phases #$phases |
153 | (delete 'portability) | |
154 | (replace 'enter-dir | |
155 | (lambda _ (chdir #$name))) | |
156 | (add-after 'build 'pywrap | |
157 | (lambda* (#:key make-flags #:allow-other-keys) | |
158 | (apply invoke "make" "pywrap" make-flags))) | |
159 | (add-after 'install 'install-pywrap | |
160 | (lambda* (#:key make-flags #:allow-other-keys) | |
161 | ;; The build system uses "python setup.py install" to install | |
162 | ;; Python bindings. Instruct it to use the correct output. | |
163 | (substitute* "src/Makefile" | |
164 | (("--prefix=\\$\\(PREFIX\\)") | |
165 | (string-append "--prefix=" #$output:python))) | |
166 | ||
167 | (apply invoke "make" "install-pywrap" make-flags))))))) | |
9ffc1f0e KK |
168 | ;; These libraries are in "Requires.private" in libselinux.pc. |
169 | (propagated-inputs | |
54f14833 | 170 | (list libsepol pcre2)) |
9ffc1f0e KK |
171 | ;; For pywrap phase |
172 | (inputs | |
54f14833 | 173 | (list python-wrapper)) |
4724d729 RW |
174 | ;; These inputs are only needed for the pywrap phase. |
175 | (native-inputs | |
54f14833 | 176 | (list pkg-config swig)) |
4724d729 RW |
177 | (synopsis "SELinux core libraries and utilities") |
178 | (description | |
179 | "The libselinux library provides an API for SELinux applications to get | |
180 | and set process and file security contexts, and to obtain security policy | |
181 | decisions. It is required for any applications that use the SELinux API, and | |
182 | used by all applications that are SELinux-aware. This package also includes | |
183 | the core SELinux management utilities.") | |
184 | (license license:public-domain))) | |
32be6601 RW |
185 | |
186 | (define-public libsemanage | |
1a265842 | 187 | (package/inherit libsepol |
32be6601 RW |
188 | (name "libsemanage") |
189 | (arguments | |
190 | (substitute-keyword-arguments (package-arguments libsepol) | |
191 | ((#:make-flags flags) | |
9bfdd1e7 MB |
192 | #~(cons* "PYTHON=python3" |
193 | (string-append "PYTHONLIBDIR=" | |
194 | #$output | |
195 | "/lib/python" | |
196 | #$(version-major+minor (package-version python)) | |
197 | "/site-packages/") | |
198 | #$flags)) | |
32be6601 | 199 | ((#:phases phases) |
9bfdd1e7 MB |
200 | #~(modify-phases #$phases |
201 | (delete 'portability) | |
202 | (replace 'enter-dir | |
203 | (lambda _ (chdir #$name))) | |
204 | (add-before 'install 'adjust-semanage-conf-location | |
205 | (lambda _ | |
206 | (substitute* "src/Makefile" | |
207 | (("DEFAULT_SEMANAGE_CONF_LOCATION=/etc") | |
208 | "DEFAULT_SEMANAGE_CONF_LOCATION=$(PREFIX)/etc")))) | |
209 | (add-after 'build 'pywrap | |
210 | (lambda* (#:key make-flags #:allow-other-keys) | |
211 | (apply invoke "make" "pywrap" make-flags))) | |
212 | (add-after 'install 'install-pywrap | |
213 | (lambda* (#:key make-flags #:allow-other-keys) | |
214 | (apply invoke "make" "install-pywrap" make-flags))))))) | |
32be6601 | 215 | (inputs |
9bfdd1e7 | 216 | (list audit libsepol libselinux python-wrapper)) |
32be6601 | 217 | (native-inputs |
9bfdd1e7 | 218 | (list bison flex pkg-config swig)) |
32be6601 RW |
219 | (synopsis "SELinux policy management libraries") |
220 | (description | |
221 | "The libsemanage library provides an API for the manipulation of SELinux | |
222 | binary policies.") | |
223 | (license license:lgpl2.1+))) | |
c837027d RW |
224 | |
225 | (define-public secilc | |
1a265842 | 226 | (package/inherit libsepol |
c837027d RW |
227 | (name "secilc") |
228 | (arguments | |
229 | (substitute-keyword-arguments (package-arguments libsepol) | |
230 | ((#:make-flags flags) | |
71d07d82 MB |
231 | #~(let ((xsl (search-input-directory %build-inputs "xml/xsl"))) |
232 | (cons (string-append "XMLTO=xmlto --skip-validation -x " | |
233 | xsl "/docbook-xsl-" | |
234 | #$(package-version | |
235 | (this-package-native-input "docbook-xsl")) | |
236 | "/manpages/docbook.xsl") | |
237 | #$flags))) | |
c837027d | 238 | ((#:phases phases) |
71d07d82 MB |
239 | #~(modify-phases #$phases |
240 | (delete 'portability) | |
241 | (replace 'enter-dir | |
242 | (lambda _ (chdir #$name))))))) | |
c837027d | 243 | (inputs |
71d07d82 | 244 | (list libsepol)) |
c837027d | 245 | (native-inputs |
71d07d82 | 246 | (list xmlto docbook-xsl)) |
c837027d RW |
247 | (synopsis "SELinux common intermediate language (CIL) compiler") |
248 | (description "The SELinux CIL compiler is a compiler that converts the | |
249 | @dfn{common intermediate language} (CIL) into a kernel binary policy file.") | |
250 | (license license:bsd-2))) | |
d7e2d273 RW |
251 | |
252 | (define-public python-sepolgen | |
1a265842 | 253 | (package/inherit libsepol |
d7e2d273 RW |
254 | (name "python-sepolgen") |
255 | (arguments | |
46bb84bb MB |
256 | (substitute-keyword-arguments (package-arguments libsepol) |
257 | ((#:modules _ #~%gnu-build-system-modules) | |
258 | '((srfi srfi-1) | |
259 | (guix build gnu-build-system) | |
260 | (guix build utils))) | |
261 | ((#:phases phases) | |
262 | #~(modify-phases #$phases | |
263 | (delete 'portability) | |
264 | (replace 'enter-dir | |
265 | (lambda _ (chdir "python/sepolgen"))) | |
266 | ;; By default all Python files would be installed to | |
267 | ;; $out/gnu/store/...-python-.../, so we override the | |
268 | ;; PACKAGEDIR to fix this. | |
269 | (add-after 'enter-dir 'fix-target-path | |
270 | (lambda* (#:key inputs #:allow-other-keys) | |
271 | (let ((get-python-version | |
272 | ;; FIXME: copied from python-build-system | |
273 | (lambda (python) | |
274 | (let* ((version (last (string-split python #\-))) | |
275 | (components (string-split version #\.)) | |
276 | (major+minor (take components 2))) | |
277 | (string-join major+minor ".")))) | |
278 | (python (dirname (dirname (search-input-file | |
279 | inputs "bin/python3"))))) | |
280 | (substitute* "src/sepolgen/Makefile" | |
281 | (("^PACKAGEDIR.*") | |
282 | (string-append "PACKAGEDIR=" | |
283 | #$output | |
284 | "/lib/python" | |
285 | (get-python-version python) | |
286 | "/site-packages/sepolgen"))) | |
287 | (substitute* "src/share/Makefile" | |
288 | (("\\$\\(DESTDIR\\)") #$output))))))))) | |
d7e2d273 | 289 | (inputs |
46bb84bb | 290 | (list python-wrapper)) |
d7e2d273 RW |
291 | (native-inputs '()) |
292 | (synopsis "Python module for generating SELinux policies") | |
293 | (description | |
294 | "This package contains a Python module that forms the core of | |
295 | @code{audit2allow}, a part of the package @code{policycoreutils}. The | |
296 | sepolgen library contains: Reference Policy Representation, which are Objects | |
297 | for representing policies and the reference policy interfaces. It has objects | |
298 | and algorithms for representing access and sets of access in an abstract way | |
299 | and searching that access. It also has a parser for reference policy | |
300 | \"headers\". It contains infrastructure for parsing SELinux related messages | |
301 | as produced by the audit system. It has facilities for generating policy | |
302 | based on required access.") | |
303 | ;; GPLv2 only | |
304 | (license license:gpl2))) | |
41da8dbe | 305 | |
41da8dbe RW |
306 | (define-public python-setools |
307 | (package | |
308 | (name "python-setools") | |
d1c3de65 | 309 | (version "4.4.0") |
41da8dbe | 310 | (source (origin |
ca56021c RW |
311 | (method git-fetch) |
312 | (uri (git-reference | |
d1c3de65 | 313 | (url "https://github.com/SELinuxProject/setools") |
ca56021c RW |
314 | (commit version))) |
315 | (file-name (string-append name "-" version "-checkout")) | |
41da8dbe RW |
316 | (sha256 |
317 | (base32 | |
d1c3de65 | 318 | "1qvd5j6zwq4fmlahg45swjplhif2z89x7s6pnp07gvcp2fbqdsh5")))) |
41da8dbe RW |
319 | (build-system python-build-system) |
320 | (arguments | |
321 | `(#:tests? #f ; the test target causes a rebuild | |
322 | #:phases | |
323 | (modify-phases %standard-phases | |
50e87903 | 324 | (delete 'portability) |
41da8dbe RW |
325 | (add-after 'unpack 'set-SEPOL-variable |
326 | (lambda* (#:key inputs #:allow-other-keys) | |
327 | (setenv "SEPOL" | |
377e9453 | 328 | (search-input-file inputs "/lib/libsepol.a")))) |
41da8dbe RW |
329 | (add-after 'unpack 'remove-Werror |
330 | (lambda _ | |
331 | (substitute* "setup.py" | |
332 | (("'-Werror',") "")) | |
333 | #t)) | |
334 | (add-after 'unpack 'fix-target-paths | |
335 | (lambda* (#:key outputs #:allow-other-keys) | |
336 | (substitute* "setup.py" | |
337 | (("join\\(sys.prefix") | |
338 | (string-append "join(\"" (assoc-ref outputs "out") "/\""))) | |
339 | #t))))) | |
340 | (propagated-inputs | |
8394619b | 341 | (list python-networkx)) |
41da8dbe | 342 | (inputs |
d1c3de65 | 343 | (list libsepol libselinux python-pyqt)) |
41da8dbe | 344 | (native-inputs |
d1c3de65 GH |
345 | (list bison flex python-cython swig)) |
346 | (home-page "https://github.com/SELinuxProject/setools") | |
41da8dbe RW |
347 | (synopsis "Tools for SELinux policy analysis") |
348 | (description "SETools is a collection of graphical tools, command-line | |
349 | tools, and libraries designed to facilitate SELinux policy analysis.") | |
350 | ;; Some programs are under GPL, all libraries under LGPL. | |
351 | (license (list license:lgpl2.1+ | |
352 | license:gpl2+)))) | |
6ef94ecb RW |
353 | |
354 | (define-public policycoreutils | |
1a265842 | 355 | (package/inherit libsepol |
6ef94ecb | 356 | (name "policycoreutils") |
6ef94ecb | 357 | (arguments |
e015fc17 MB |
358 | (list |
359 | #:test-target "test" | |
360 | #:make-flags | |
361 | #~(let ((out #$output)) | |
362 | (list (string-append "CC=" #$(cc-for-target)) | |
363 | (string-append "PREFIX=" out) | |
364 | (string-append "LOCALEDIR=" out "/share/locale") | |
365 | (string-append "BASHCOMPLETIONDIR=" out | |
366 | "/share/bash-completion/completions") | |
367 | "INSTALL=install -c -p" | |
368 | "INSTALL_DIR=install -d" | |
369 | ;; These ones are needed because some Makefiles define the | |
370 | ;; directories relative to DESTDIR, not relative to PREFIX. | |
371 | (string-append "SBINDIR=" out "/sbin") | |
372 | (string-append "ETCDIR=" out "/etc") | |
373 | (string-append "SYSCONFDIR=" out "/etc/sysconfig") | |
374 | (string-append "MAN5DIR=" out "/share/man/man5") | |
375 | (string-append "INSTALL_NLS_DIR=" out "/share/locale") | |
376 | (string-append "AUTOSTARTDIR=" out "/etc/xdg/autostart") | |
377 | (string-append "DBUSSERVICEDIR=" out "/share/dbus-1/services") | |
378 | (string-append "SYSTEMDDIR=" out "/lib/systemd") | |
379 | (string-append "INITDIR=" out "/etc/rc.d/init.d") | |
380 | (string-append "SELINUXDIR=" out "/etc/selinux"))) | |
381 | #:phases | |
382 | #~(modify-phases %standard-phases | |
383 | (delete 'configure) | |
384 | (add-after 'unpack 'enter-dir | |
385 | (lambda _ (chdir #$name))) | |
386 | (add-after 'enter-dir 'ignore-/usr-tests | |
387 | (lambda* (#:key inputs #:allow-other-keys) | |
388 | ;; Rewrite lookup paths for header files. | |
389 | (substitute* '("newrole/Makefile" | |
390 | "setfiles/Makefile" | |
391 | "run_init/Makefile") | |
392 | (("/usr(/include/security/pam_appl.h)" _ file) | |
393 | (search-input-file inputs file)) | |
394 | (("/usr(/include/libaudit.h)" _ file) | |
395 | (search-input-file inputs file)))))))) | |
6ef94ecb | 396 | (inputs |
c6e3f4eb MB |
397 | (list audit |
398 | linux-pam | |
399 | libsepol | |
400 | libselinux | |
401 | libsemanage)) | |
6ef94ecb | 402 | (native-inputs |
c6e3f4eb | 403 | (list gettext-minimal)) |
6ef94ecb RW |
404 | (synopsis "SELinux core utilities") |
405 | (description "The policycoreutils package contains the core utilities that | |
406 | are required for the basic operation of an SELinux-enabled GNU system and its | |
407 | policies. These utilities include @code{load_policy} to load policies, | |
408 | @code{setfiles} to label file systems, @code{newrole} to switch roles, and | |
409 | @code{run_init} to run service scripts in their proper context.") | |
410 | (license license:gpl2+))) |