[jackhill/guix/guix.git] / gnu / packages / selinux.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2019, 2020, 2022 Marius Bakke <marius@gnu.org>
;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages selinux)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix gexp)
  #:use-module (guix download)
  #:use-module (guix git-download)
  #:use-module (guix utils)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system python)
  #:use-module (gnu packages)
  #:use-module (gnu packages admin)
  #:use-module (gnu packages bison)
  #:use-module (gnu packages docbook)
  #:use-module (gnu packages flex)
  #:use-module (gnu packages gettext)
  #:use-module (gnu packages glib)
  #:use-module (gnu packages linux)
  #:use-module (gnu packages networking)
  #:use-module (gnu packages pcre)
  #:use-module (gnu packages pkg-config)
  #:use-module (gnu packages python)
  #:use-module (gnu packages python-xyz)
  #:use-module (gnu packages qt)
  #:use-module (gnu packages swig)
  #:use-module (gnu packages xml))

;; Update the SELinux packages together!

(define-public libsepol
  (package
    (name "libsepol")
    (version "3.4")
    (source (origin
              (method git-fetch)
              (uri (git-reference
                    (url "https://github.com/SELinuxProject/selinux")
                    (commit version)))
              (file-name (git-file-name "selinux" version))
              (sha256
               (base32
                "1lcmgmfr0q7g5cwg6b7jm6ncw8cw6c1jblkm93v1g37bfhcgrqc0"))))
    (build-system gnu-build-system)
    (arguments
     (list
      #:tests? #f         ; tests require checkpolicy, which requires libsepol
      #:test-target "test"
      #:make-flags
      #~(let ((out #$output))
          (list (string-append "PREFIX=" out)
                (string-append "SHLIBDIR=" out "/lib")
                (string-append "MAN3DIR=" out "/share/man/man3")
                (string-append "MAN5DIR=" out "/share/man/man5")
                (string-append "MAN8DIR=" out "/share/man/man8")
                (string-append "CFLAGS=-Wno-error")
                (string-append "LDFLAGS=-Wl,-rpath=" out "/lib")
                (string-append "CC=" #$(cc-for-target))))
      #:phases
      #~(modify-phases %standard-phases
          (delete 'configure)
          (add-after 'unpack 'enter-dir
            (lambda _ (chdir #$name)))
          (add-after 'enter-dir 'portability
            (lambda _
              (substitute* "src/ibpkeys.c"
                (("#include \"ibpkey_internal.h\"" line)
                 (string-append line "\n#include <inttypes.h>\n"))
                (("%#lx") "%#\" PRIx64 \"")))))))
    (native-inputs
     (list flex))
    (home-page "https://selinuxproject.org/")
    (synopsis "Library for manipulating SELinux policies")
    (description
     "The libsepol library provides an API for the manipulation of SELinux
binary policies.  It is used by @code{checkpolicy} (the policy compiler) and
similar tools, and programs such as @code{load_policy}, which must perform
specific transformations on binary policies (for example, customizing policy
boolean settings).")
    (license license:lgpl2.1+)))

(define-public checkpolicy
  (package/inherit libsepol
    (name "checkpolicy")
    (arguments
     (list
      #:tests? #f                       ; there is no check target
      #:make-flags
      #~(list (string-append "PREFIX=" #$output)
              (string-append "LIBSEPOLA="
                             (search-input-file %build-inputs
                                                "/lib/libsepol.a"))
              (string-append "CC=" #$(cc-for-target)))
      #:phases
      #~(modify-phases %standard-phases
          (delete 'configure)
          (delete 'portability)
          (add-after 'unpack 'enter-dir
            (lambda _ (chdir #$name))))))
    (inputs
     (list libsepol))
    (native-inputs
     (list bison flex))
    (synopsis "Check SELinux security policy configurations and modules")
    (description
     "This package provides the tools \"checkpolicy\" and \"checkmodule\".
Checkpolicy is a program that checks and compiles a SELinux security policy
configuration into a binary representation that can be loaded into the kernel.
Checkmodule is a program that checks and compiles a SELinux security policy
module into a binary representation.")
    ;; GPLv2 only
    (license license:gpl2)))

(define-public libselinux
  (package/inherit libsepol
    (name "libselinux")
    (outputs '("out" "python"))
    (arguments
     (substitute-keyword-arguments (package-arguments libsepol)
       ((#:make-flags flags)
        #~(cons* "PYTHON=python3"
                 (string-append "LIBSEPOLA="
                                (search-input-file %build-inputs
                                                   "/lib/libsepol.a"))
                 (string-append "PYTHONLIBDIR="
                                #$output:python
                                "/lib/python"
                                #$(version-major+minor (package-version python))
                                "/site-packages/")
                 #$flags))
       ((#:phases phases)
        #~(modify-phases #$phases
            (delete 'portability)
            (replace 'enter-dir
              (lambda _ (chdir #$name)))
            (add-after 'build 'pywrap
              (lambda* (#:key make-flags #:allow-other-keys)
                (apply invoke "make" "pywrap" make-flags)))
            (add-after 'install 'install-pywrap
              (lambda* (#:key make-flags #:allow-other-keys)
                ;; The build system uses "python setup.py install" to install
                ;; Python bindings.  Instruct it to use the correct output.
                (substitute* "src/Makefile"
                  (("--prefix=\\$\\(PREFIX\\)")
                   (string-append "--prefix=" #$output:python)))

                (apply invoke "make" "install-pywrap" make-flags)))))))
    ;; These libraries are in "Requires.private" in libselinux.pc.
    (propagated-inputs
     (list libsepol pcre2))
    ;; For pywrap phase
    (inputs
     (list python-wrapper))
    ;; These inputs are only needed for the pywrap phase.
    (native-inputs
     (list pkg-config swig))
    (synopsis "SELinux core libraries and utilities")
    (description
     "The libselinux library provides an API for SELinux applications to get
and set process and file security contexts, and to obtain security policy
decisions.  It is required for any applications that use the SELinux API, and
used by all applications that are SELinux-aware.  This package also includes
the core SELinux management utilities.")
    (license license:public-domain)))

(define-public libsemanage
  (package/inherit libsepol
    (name "libsemanage")
    (arguments
     (substitute-keyword-arguments (package-arguments libsepol)
       ((#:make-flags flags)
        #~(cons* "PYTHON=python3"
                 (string-append "PYTHONLIBDIR="
                                #$output
                                "/lib/python"
                                #$(version-major+minor (package-version python))
                                "/site-packages/")
                 #$flags))
       ((#:phases phases)
        #~(modify-phases #$phases
            (delete 'portability)
            (replace 'enter-dir
              (lambda _ (chdir #$name)))
            (add-before 'install 'adjust-semanage-conf-location
              (lambda _
                (substitute* "src/Makefile"
                  (("DEFAULT_SEMANAGE_CONF_LOCATION=/etc")
                   "DEFAULT_SEMANAGE_CONF_LOCATION=$(PREFIX)/etc"))))
            (add-after 'build 'pywrap
              (lambda* (#:key make-flags #:allow-other-keys)
                (apply invoke "make" "pywrap" make-flags)))
            (add-after 'install 'install-pywrap
              (lambda* (#:key make-flags #:allow-other-keys)
                (apply invoke "make" "install-pywrap" make-flags)))))))
    (inputs
     (list audit libsepol libselinux python-wrapper))
    (native-inputs
     (list bison flex pkg-config swig))
    (synopsis "SELinux policy management libraries")
    (description
     "The libsemanage library provides an API for the manipulation of SELinux
binary policies.")
    (license license:lgpl2.1+)))

(define-public secilc
  (package/inherit libsepol
    (name "secilc")
    (arguments
     (substitute-keyword-arguments (package-arguments libsepol)
       ((#:make-flags flags)
        #~(let ((xsl (search-input-directory %build-inputs "xml/xsl")))
            (cons (string-append "XMLTO=xmlto --skip-validation -x "
                                 xsl "/docbook-xsl-"
                                 #$(package-version
                                    (this-package-native-input "docbook-xsl"))
                                 "/manpages/docbook.xsl")
                  #$flags)))
       ((#:phases phases)
        #~(modify-phases #$phases
            (delete 'portability)
            (replace 'enter-dir
              (lambda _ (chdir #$name)))))))
    (inputs
     (list libsepol))
    (native-inputs
     (list xmlto docbook-xsl))
    (synopsis "SELinux common intermediate language (CIL) compiler")
    (description "The SELinux CIL compiler is a compiler that converts the
@dfn{common intermediate language} (CIL) into a kernel binary policy file.")
    (license license:bsd-2)))

(define-public python-sepolgen
  (package/inherit libsepol
    (name "python-sepolgen")
    (arguments
     (substitute-keyword-arguments (package-arguments libsepol)
       ((#:modules _ #~%gnu-build-system-modules)
        '((srfi srfi-1)
          (guix build gnu-build-system)
          (guix build utils)))
       ((#:phases phases)
        #~(modify-phases #$phases
            (delete 'portability)
            (replace 'enter-dir
              (lambda _ (chdir "python/sepolgen")))
            ;; By default all Python files would be installed to
            ;; $out/gnu/store/...-python-.../, so we override the
            ;; PACKAGEDIR to fix this.
            (add-after 'enter-dir 'fix-target-path
              (lambda* (#:key inputs #:allow-other-keys)
                (let ((get-python-version
                       ;; FIXME: copied from python-build-system
                       (lambda (python)
                         (let* ((version     (last (string-split python #\-)))
                                (components  (string-split version #\.))
                                (major+minor (take components 2)))
                           (string-join major+minor "."))))
                      (python (dirname (dirname (search-input-file
                                                 inputs "bin/python3")))))
                  (substitute* "src/sepolgen/Makefile"
                    (("^PACKAGEDIR.*")
                     (string-append "PACKAGEDIR="
                                    #$output
                                    "/lib/python"
                                    (get-python-version python)
                                    "/site-packages/sepolgen")))
                  (substitute* "src/share/Makefile"
                    (("\\$\\(DESTDIR\\)") #$output)))))))))
    (inputs
     (list python-wrapper))
    (native-inputs '())
    (synopsis "Python module for generating SELinux policies")
    (description
     "This package contains a Python module that forms the core of
@code{audit2allow}, a part of the package @code{policycoreutils}.  The
sepolgen library contains: Reference Policy Representation, which are Objects
for representing policies and the reference policy interfaces.  It has objects
and algorithms for representing access and sets of access in an abstract way
and searching that access.  It also has a parser for reference policy
\"headers\".  It contains infrastructure for parsing SELinux related messages
as produced by the audit system.  It has facilities for generating policy
based on required access.")
    ;; GPLv2 only
    (license license:gpl2)))

(define-public python-setools
  (package
    (name "python-setools")
    (version "4.4.0")
    (source (origin
              (method git-fetch)
              (uri (git-reference
                    (url "https://github.com/SELinuxProject/setools")
                    (commit version)))
              (file-name (string-append name "-" version "-checkout"))
              (sha256
               (base32
                "1qvd5j6zwq4fmlahg45swjplhif2z89x7s6pnp07gvcp2fbqdsh5"))))
    (build-system python-build-system)
    (arguments
     `(#:tests? #f ; the test target causes a rebuild
       #:phases
       (modify-phases %standard-phases
         (delete 'portability)
         (add-after 'unpack 'set-SEPOL-variable
           (lambda* (#:key inputs #:allow-other-keys)
             (setenv "SEPOL"
                     (search-input-file inputs "/lib/libsepol.a"))))
         (add-after 'unpack 'remove-Werror
           (lambda _
             (substitute* "setup.py"
               (("'-Werror',") ""))
             #t))
         (add-after 'unpack 'fix-target-paths
           (lambda* (#:key outputs #:allow-other-keys)
             (substitute* "setup.py"
               (("join\\(sys.prefix")
                (string-append "join(\"" (assoc-ref outputs "out") "/\"")))
             #t)))))
    (propagated-inputs
     (list python-networkx))
    (inputs
     (list libsepol libselinux python-pyqt))
    (native-inputs
     (list bison flex python-cython swig))
    (home-page "https://github.com/SELinuxProject/setools")
    (synopsis "Tools for SELinux policy analysis")
    (description "SETools is a collection of graphical tools, command-line
tools, and libraries designed to facilitate SELinux policy analysis.")
    ;; Some programs are under GPL, all libraries under LGPL.
    (license (list license:lgpl2.1+
                   license:gpl2+))))

(define-public policycoreutils
  (package/inherit libsepol
    (name "policycoreutils")
    (arguments
     (list
      #:test-target "test"
      #:make-flags
      #~(let ((out #$output))
          (list (string-append "CC=" #$(cc-for-target))
                (string-append "PREFIX=" out)
                (string-append "LOCALEDIR=" out "/share/locale")
                (string-append "BASHCOMPLETIONDIR=" out
                               "/share/bash-completion/completions")
                "INSTALL=install -c -p"
                "INSTALL_DIR=install -d"
                ;; These ones are needed because some Makefiles define the
                ;; directories relative to DESTDIR, not relative to PREFIX.
                (string-append "SBINDIR=" out "/sbin")
                (string-append "ETCDIR=" out "/etc")
                (string-append "SYSCONFDIR=" out "/etc/sysconfig")
                (string-append "MAN5DIR=" out "/share/man/man5")
                (string-append "INSTALL_NLS_DIR=" out "/share/locale")
                (string-append "AUTOSTARTDIR=" out "/etc/xdg/autostart")
                (string-append "DBUSSERVICEDIR=" out "/share/dbus-1/services")
                (string-append "SYSTEMDDIR=" out "/lib/systemd")
                (string-append "INITDIR=" out "/etc/rc.d/init.d")
                (string-append "SELINUXDIR=" out "/etc/selinux")))
      #:phases
      #~(modify-phases %standard-phases
          (delete 'configure)
          (add-after 'unpack 'enter-dir
            (lambda _ (chdir #$name)))
          (add-after 'enter-dir 'ignore-/usr-tests
            (lambda* (#:key inputs #:allow-other-keys)
              ;; Rewrite lookup paths for header files.
              (substitute* '("newrole/Makefile"
                             "setfiles/Makefile"
                             "run_init/Makefile")
                (("/usr(/include/security/pam_appl.h)" _ file)
                 (search-input-file inputs file))
                (("/usr(/include/libaudit.h)" _ file)
                 (search-input-file inputs file))))))))
    (inputs
     (list audit
           linux-pam
           libsepol
           libselinux
           libsemanage))
    (native-inputs
     (list gettext-minimal))
    (synopsis "SELinux core utilities")
    (description "The policycoreutils package contains the core utilities that
are required for the basic operation of an SELinux-enabled GNU system and its
policies.  These utilities include @code{load_policy} to load policies,
@code{setfiles} to label file systems, @code{newrole} to switch roles, and
@code{run_init} to run service scripts in their proper context.")
    (license license:gpl2+)))
Commit	Line	Data
f269ad25	1	;;; GNU Guix --- Functional package management for GNU
ca56021c	2	;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
bb6c3d23	3	;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
0d79288f	4	;;; Copyright © 2019, 2020, 2022 Marius Bakke <marius@gnu.org>
545aeb70	5	;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
5b0d7819	6	;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
f269ad25 RW	7	;;;
	8	;;; This file is part of GNU Guix.
	9	;;;
	10	;;; GNU Guix is free software; you can redistribute it and/or modify it
	11	;;; under the terms of the GNU General Public License as published by
	12	;;; the Free Software Foundation; either version 3 of the License, or (at
	13	;;; your option) any later version.
	14	;;;
	15	;;; GNU Guix is distributed in the hope that it will be useful, but
	16	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	17	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	;;; GNU General Public License for more details.
	19	;;;
	20	;;; You should have received a copy of the GNU General Public License
	21	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	22
	23	(define-module (gnu packages selinux)
	24	#:use-module ((guix licenses) #:prefix license:)
	25	#:use-module (guix packages)
86084aa4	26	#:use-module (guix gexp)
f269ad25	27	#:use-module (guix download)
ca56021c	28	#:use-module (guix git-download)
f269ad25 RW	29	#:use-module (guix utils)
f269ad25 RW	30	#:use-module (guix build-system gnu)
4724d729	31	#:use-module (guix build-system python)
f269ad25	32	#:use-module (gnu packages)
32be6601	33	#:use-module (gnu packages admin)
66af08fb	34	#:use-module (gnu packages bison)
c837027d	35	#:use-module (gnu packages docbook)
4724d729	36	#:use-module (gnu packages flex)
6ef94ecb RW	37	#:use-module (gnu packages gettext)
	38	#:use-module (gnu packages glib)
	39	#:use-module (gnu packages linux)
	40	#:use-module (gnu packages networking)
4724d729 RW	41	#:use-module (gnu packages pcre)
	42	#:use-module (gnu packages pkg-config)
	43	#:use-module (gnu packages python)
44d10b1f	44	#:use-module (gnu packages python-xyz)
d1c3de65	45	#:use-module (gnu packages qt)
32be6601	46	#:use-module (gnu packages swig)
c837027d	47	#:use-module (gnu packages xml))
f269ad25 RW	48
	49	;; Update the SELinux packages together!
	50
	51	(define-public libsepol
	52	(package
	53	(name "libsepol")
0d79288f	54	(version "3.4")
545aeb70 EF	55	(source (origin
	56	(method git-fetch)
	57	(uri (git-reference
d7278e40 MB	58	(url "https://github.com/SELinuxProject/selinux")
d7278e40 MB	59	(commit version)))
545aeb70 EF	60	(file-name (git-file-name "selinux" version))
	61	(sha256
	62	(base32
0d79288f	63	"1lcmgmfr0q7g5cwg6b7jm6ncw8cw6c1jblkm93v1g37bfhcgrqc0"))))
f269ad25 RW	64	(build-system gnu-build-system)
f269ad25 RW	65	(arguments
d7278e40 MB	66	(list
	67	#:tests? #f ; tests require checkpolicy, which requires libsepol
	68	#:test-target "test"
	69	#:make-flags
	70	#~(let ((out #$output))
	71	(list (string-append "PREFIX=" out)
	72	(string-append "SHLIBDIR=" out "/lib")
	73	(string-append "MAN3DIR=" out "/share/man/man3")
	74	(string-append "MAN5DIR=" out "/share/man/man5")
	75	(string-append "MAN8DIR=" out "/share/man/man8")
	76	(string-append "CFLAGS=-Wno-error")
	77	(string-append "LDFLAGS=-Wl,-rpath=" out "/lib")
	78	(string-append "CC=" #$(cc-for-target))))
	79	#:phases
	80	#~(modify-phases %standard-phases
	81	(delete 'configure)
	82	(add-after 'unpack 'enter-dir
	83	(lambda _ (chdir #$name)))
	84	(add-after 'enter-dir 'portability
	85	(lambda _
	86	(substitute* "src/ibpkeys.c"
	87	(("#include \"ibpkey_internal.h\"" line)
	88	(string-append line "\n#include <inttypes.h>\n"))
	89	(("%#lx") "%#\" PRIx64 \"")))))))
f269ad25	90	(native-inputs
8394619b	91	(list flex))
f269ad25 RW	92	(home-page "https://selinuxproject.org/")
	93	(synopsis "Library for manipulating SELinux policies")
	94	(description
	95	"The libsepol library provides an API for the manipulation of SELinux
	96	binary policies. It is used by @code{checkpolicy} (the policy compiler) and
	97	similar tools, and programs such as @code{load_policy}, which must perform
	98	specific transformations on binary policies (for example, customizing policy
	99	boolean settings).")
	100	(license license:lgpl2.1+)))
66af08fb RW	101
66af08fb RW	102	(define-public checkpolicy
1a265842	103	(package/inherit libsepol
66af08fb RW	104	(name "checkpolicy")
66af08fb RW	105	(arguments
86084aa4 MB	106	(list
	107	#:tests? #f ; there is no check target
	108	#:make-flags
	109	#~(list (string-append "PREFIX=" #$output)
	110	(string-append "LIBSEPOLA="
	111	(search-input-file %build-inputs
	112	"/lib/libsepol.a"))
	113	(string-append "CC=" #$(cc-for-target)))
	114	#:phases
	115	#~(modify-phases %standard-phases
	116	(delete 'configure)
	117	(delete 'portability)
	118	(add-after 'unpack 'enter-dir
	119	(lambda _ (chdir #$name))))))
66af08fb	120	(inputs
86084aa4	121	(list libsepol))
66af08fb	122	(native-inputs
86084aa4	123	(list bison flex))
66af08fb RW	124	(synopsis "Check SELinux security policy configurations and modules")
	125	(description
	126	"This package provides the tools \"checkpolicy\" and \"checkmodule\".
	127	Checkpolicy is a program that checks and compiles a SELinux security policy
	128	configuration into a binary representation that can be loaded into the kernel.
	129	Checkmodule is a program that checks and compiles a SELinux security policy
	130	module into a binary representation.")
	131	;; GPLv2 only
	132	(license license:gpl2)))
4724d729 RW	133
4724d729 RW	134	(define-public libselinux
1a265842	135	(package/inherit libsepol
4724d729	136	(name "libselinux")
568d0603	137	(outputs '("out" "python"))
4724d729 RW	138	(arguments
	139	(substitute-keyword-arguments (package-arguments libsepol)
	140	((#:make-flags flags)
54f14833 MB	141	#~(cons* "PYTHON=python3"
	142	(string-append "LIBSEPOLA="
	143	(search-input-file %build-inputs
	144	"/lib/libsepol.a"))
	145	(string-append "PYTHONLIBDIR="
	146	#$output:python
	147	"/lib/python"
	148	#$(version-major+minor (package-version python))
	149	"/site-packages/")
	150	#$flags))
4724d729	151	((#:phases phases)
54f14833 MB	152	#~(modify-phases #$phases
	153	(delete 'portability)
	154	(replace 'enter-dir
	155	(lambda _ (chdir #$name)))
	156	(add-after 'build 'pywrap
	157	(lambda* (#:key make-flags #:allow-other-keys)
	158	(apply invoke "make" "pywrap" make-flags)))
	159	(add-after 'install 'install-pywrap
	160	(lambda* (#:key make-flags #:allow-other-keys)
	161	;; The build system uses "python setup.py install" to install
	162	;; Python bindings. Instruct it to use the correct output.
	163	(substitute* "src/Makefile"
	164	(("--prefix=\\$\\(PREFIX\\)")
	165	(string-append "--prefix=" #$output:python)))
	166
	167	(apply invoke "make" "install-pywrap" make-flags)))))))
9ffc1f0e KK	168	;; These libraries are in "Requires.private" in libselinux.pc.
9ffc1f0e KK	169	(propagated-inputs
54f14833	170	(list libsepol pcre2))
9ffc1f0e KK	171	;; For pywrap phase
9ffc1f0e KK	172	(inputs
54f14833	173	(list python-wrapper))
4724d729 RW	174	;; These inputs are only needed for the pywrap phase.
4724d729 RW	175	(native-inputs
54f14833	176	(list pkg-config swig))
4724d729 RW	177	(synopsis "SELinux core libraries and utilities")
	178	(description
	179	"The libselinux library provides an API for SELinux applications to get
	180	and set process and file security contexts, and to obtain security policy
	181	decisions. It is required for any applications that use the SELinux API, and
	182	used by all applications that are SELinux-aware. This package also includes
	183	the core SELinux management utilities.")
	184	(license license:public-domain)))
32be6601 RW	185
32be6601 RW	186	(define-public libsemanage
1a265842	187	(package/inherit libsepol
32be6601 RW	188	(name "libsemanage")
	189	(arguments
	190	(substitute-keyword-arguments (package-arguments libsepol)
	191	((#:make-flags flags)
9bfdd1e7 MB	192	#~(cons* "PYTHON=python3"
	193	(string-append "PYTHONLIBDIR="
	194	#$output
	195	"/lib/python"
	196	#$(version-major+minor (package-version python))
	197	"/site-packages/")
	198	#$flags))
32be6601	199	((#:phases phases)
9bfdd1e7 MB	200	#~(modify-phases #$phases
	201	(delete 'portability)
	202	(replace 'enter-dir
	203	(lambda _ (chdir #$name)))
	204	(add-before 'install 'adjust-semanage-conf-location
	205	(lambda _
	206	(substitute* "src/Makefile"
	207	(("DEFAULT_SEMANAGE_CONF_LOCATION=/etc")
	208	"DEFAULT_SEMANAGE_CONF_LOCATION=$(PREFIX)/etc"))))
	209	(add-after 'build 'pywrap
	210	(lambda* (#:key make-flags #:allow-other-keys)
	211	(apply invoke "make" "pywrap" make-flags)))
	212	(add-after 'install 'install-pywrap
	213	(lambda* (#:key make-flags #:allow-other-keys)
	214	(apply invoke "make" "install-pywrap" make-flags)))))))
32be6601	215	(inputs
9bfdd1e7	216	(list audit libsepol libselinux python-wrapper))
32be6601	217	(native-inputs
9bfdd1e7	218	(list bison flex pkg-config swig))
32be6601 RW	219	(synopsis "SELinux policy management libraries")
	220	(description
	221	"The libsemanage library provides an API for the manipulation of SELinux
	222	binary policies.")
	223	(license license:lgpl2.1+)))
c837027d RW	224
c837027d RW	225	(define-public secilc
1a265842	226	(package/inherit libsepol
c837027d RW	227	(name "secilc")
	228	(arguments
	229	(substitute-keyword-arguments (package-arguments libsepol)
	230	((#:make-flags flags)
71d07d82 MB	231	#~(let ((xsl (search-input-directory %build-inputs "xml/xsl")))
	232	(cons (string-append "XMLTO=xmlto --skip-validation -x "
	233	xsl "/docbook-xsl-"
	234	#$(package-version
	235	(this-package-native-input "docbook-xsl"))
	236	"/manpages/docbook.xsl")
	237	#$flags)))
c837027d	238	((#:phases phases)
71d07d82 MB	239	#~(modify-phases #$phases
	240	(delete 'portability)
	241	(replace 'enter-dir
	242	(lambda _ (chdir #$name)))))))
c837027d	243	(inputs
71d07d82	244	(list libsepol))
c837027d	245	(native-inputs
71d07d82	246	(list xmlto docbook-xsl))
c837027d RW	247	(synopsis "SELinux common intermediate language (CIL) compiler")
	248	(description "The SELinux CIL compiler is a compiler that converts the
	249	@dfn{common intermediate language} (CIL) into a kernel binary policy file.")
	250	(license license:bsd-2)))
d7e2d273 RW	251
d7e2d273 RW	252	(define-public python-sepolgen
1a265842	253	(package/inherit libsepol
d7e2d273 RW	254	(name "python-sepolgen")
d7e2d273 RW	255	(arguments
46bb84bb MB	256	(substitute-keyword-arguments (package-arguments libsepol)
	257	((#:modules _ #~%gnu-build-system-modules)
	258	'((srfi srfi-1)
	259	(guix build gnu-build-system)
	260	(guix build utils)))
	261	((#:phases phases)
	262	#~(modify-phases #$phases
	263	(delete 'portability)
	264	(replace 'enter-dir
	265	(lambda _ (chdir "python/sepolgen")))
	266	;; By default all Python files would be installed to
	267	;; $out/gnu/store/...-python-.../, so we override the
	268	;; PACKAGEDIR to fix this.
	269	(add-after 'enter-dir 'fix-target-path
	270	(lambda* (#:key inputs #:allow-other-keys)
	271	(let ((get-python-version
	272	;; FIXME: copied from python-build-system
	273	(lambda (python)
	274	(let* ((version (last (string-split python #\-)))
	275	(components (string-split version #\.))
	276	(major+minor (take components 2)))
	277	(string-join major+minor "."))))
	278	(python (dirname (dirname (search-input-file
	279	inputs "bin/python3")))))
	280	(substitute* "src/sepolgen/Makefile"
	281	(("^PACKAGEDIR.*")
	282	(string-append "PACKAGEDIR="
	283	#$output
	284	"/lib/python"
	285	(get-python-version python)
	286	"/site-packages/sepolgen")))
	287	(substitute* "src/share/Makefile"
	288	(("\\$\\(DESTDIR\\)") #$output)))))))))
d7e2d273	289	(inputs
46bb84bb	290	(list python-wrapper))
d7e2d273 RW	291	(native-inputs '())
	292	(synopsis "Python module for generating SELinux policies")
	293	(description
	294	"This package contains a Python module that forms the core of
	295	@code{audit2allow}, a part of the package @code{policycoreutils}. The
	296	sepolgen library contains: Reference Policy Representation, which are Objects
	297	for representing policies and the reference policy interfaces. It has objects
	298	and algorithms for representing access and sets of access in an abstract way
	299	and searching that access. It also has a parser for reference policy
	300	\"headers\". It contains infrastructure for parsing SELinux related messages
	301	as produced by the audit system. It has facilities for generating policy
	302	based on required access.")
	303	;; GPLv2 only
	304	(license license:gpl2)))
41da8dbe	305
41da8dbe RW	306	(define-public python-setools
	307	(package
	308	(name "python-setools")
d1c3de65	309	(version "4.4.0")
41da8dbe	310	(source (origin
ca56021c RW	311	(method git-fetch)
ca56021c RW	312	(uri (git-reference
d1c3de65	313	(url "https://github.com/SELinuxProject/setools")
ca56021c RW	314	(commit version)))
ca56021c RW	315	(file-name (string-append name "-" version "-checkout"))
41da8dbe RW	316	(sha256
41da8dbe RW	317	(base32
d1c3de65	318	"1qvd5j6zwq4fmlahg45swjplhif2z89x7s6pnp07gvcp2fbqdsh5"))))
41da8dbe RW	319	(build-system python-build-system)
	320	(arguments
	321	`(#:tests? #f ; the test target causes a rebuild
	322	#:phases
	323	(modify-phases %standard-phases
50e87903	324	(delete 'portability)
41da8dbe RW	325	(add-after 'unpack 'set-SEPOL-variable
	326	(lambda* (#:key inputs #:allow-other-keys)
	327	(setenv "SEPOL"
377e9453	328	(search-input-file inputs "/lib/libsepol.a"))))
41da8dbe RW	329	(add-after 'unpack 'remove-Werror
	330	(lambda _
	331	(substitute* "setup.py"
	332	(("'-Werror',") ""))
	333	#t))
	334	(add-after 'unpack 'fix-target-paths
	335	(lambda* (#:key outputs #:allow-other-keys)
	336	(substitute* "setup.py"
	337	(("join\\(sys.prefix")
	338	(string-append "join(\"" (assoc-ref outputs "out") "/\"")))
	339	#t)))))
	340	(propagated-inputs
8394619b	341	(list python-networkx))
41da8dbe	342	(inputs
d1c3de65	343	(list libsepol libselinux python-pyqt))
41da8dbe	344	(native-inputs
d1c3de65 GH	345	(list bison flex python-cython swig))
d1c3de65 GH	346	(home-page "https://github.com/SELinuxProject/setools")
41da8dbe RW	347	(synopsis "Tools for SELinux policy analysis")
	348	(description "SETools is a collection of graphical tools, command-line
	349	tools, and libraries designed to facilitate SELinux policy analysis.")
	350	;; Some programs are under GPL, all libraries under LGPL.
	351	(license (list license:lgpl2.1+
	352	license:gpl2+))))
6ef94ecb RW	353
6ef94ecb RW	354	(define-public policycoreutils
1a265842	355	(package/inherit libsepol
6ef94ecb	356	(name "policycoreutils")
6ef94ecb	357	(arguments
e015fc17 MB	358	(list
	359	#:test-target "test"
	360	#:make-flags
	361	#~(let ((out #$output))
	362	(list (string-append "CC=" #$(cc-for-target))
	363	(string-append "PREFIX=" out)
	364	(string-append "LOCALEDIR=" out "/share/locale")
	365	(string-append "BASHCOMPLETIONDIR=" out
	366	"/share/bash-completion/completions")
	367	"INSTALL=install -c -p"
	368	"INSTALL_DIR=install -d"
	369	;; These ones are needed because some Makefiles define the
	370	;; directories relative to DESTDIR, not relative to PREFIX.
	371	(string-append "SBINDIR=" out "/sbin")
	372	(string-append "ETCDIR=" out "/etc")
	373	(string-append "SYSCONFDIR=" out "/etc/sysconfig")
	374	(string-append "MAN5DIR=" out "/share/man/man5")
	375	(string-append "INSTALL_NLS_DIR=" out "/share/locale")
	376	(string-append "AUTOSTARTDIR=" out "/etc/xdg/autostart")
	377	(string-append "DBUSSERVICEDIR=" out "/share/dbus-1/services")
	378	(string-append "SYSTEMDDIR=" out "/lib/systemd")
	379	(string-append "INITDIR=" out "/etc/rc.d/init.d")
	380	(string-append "SELINUXDIR=" out "/etc/selinux")))
	381	#:phases
	382	#~(modify-phases %standard-phases
	383	(delete 'configure)
	384	(add-after 'unpack 'enter-dir
	385	(lambda _ (chdir #$name)))
	386	(add-after 'enter-dir 'ignore-/usr-tests
	387	(lambda* (#:key inputs #:allow-other-keys)
	388	;; Rewrite lookup paths for header files.
	389	(substitute* '("newrole/Makefile"
	390	"setfiles/Makefile"
	391	"run_init/Makefile")
	392	(("/usr(/include/security/pam_appl.h)" _ file)
	393	(search-input-file inputs file))
	394	(("/usr(/include/libaudit.h)" _ file)
	395	(search-input-file inputs file))))))))
6ef94ecb	396	(inputs
c6e3f4eb MB	397	(list audit
	398	linux-pam
	399	libsepol
	400	libselinux
	401	libsemanage))
6ef94ecb	402	(native-inputs
c6e3f4eb	403	(list gettext-minimal))
6ef94ecb RW	404	(synopsis "SELinux core utilities")
	405	(description "The policycoreutils package contains the core utilities that
	406	are required for the basic operation of an SELinux-enabled GNU system and its
	407	policies. These utilities include @code{load_policy} to load policies,
	408	@code{setfiles} to label file systems, @code{newrole} to switch roles, and
	409	@code{run_init} to run service scripts in their proper context.")
	410	(license license:gpl2+)))