HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'core-updates-frozen' into 'master'.
[jackhill/guix/guix.git] / gnu / packages / selinux.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
3 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
4 ;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com>
5 ;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
6 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
7 ;;;
8 ;;; This file is part of GNU Guix.
9 ;;;
10 ;;; GNU Guix is free software; you can redistribute it and/or modify it
11 ;;; under the terms of the GNU General Public License as published by
12 ;;; the Free Software Foundation; either version 3 of the License, or (at
13 ;;; your option) any later version.
14 ;;;
15 ;;; GNU Guix is distributed in the hope that it will be useful, but
16 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;;; GNU General Public License for more details.
19 ;;;
20 ;;; You should have received a copy of the GNU General Public License
21 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
22
23 (define-module (gnu packages selinux)
24 #:use-module ((guix licenses) #:prefix license:)
25 #:use-module (guix packages)
26 #:use-module (guix download)
27 #:use-module (guix git-download)
28 #:use-module (guix utils)
29 #:use-module (guix build-system gnu)
30 #:use-module (guix build-system python)
31 #:use-module (gnu packages)
32 #:use-module (gnu packages admin)
33 #:use-module (gnu packages bison)
34 #:use-module (gnu packages docbook)
35 #:use-module (gnu packages flex)
36 #:use-module (gnu packages gettext)
37 #:use-module (gnu packages glib)
38 #:use-module (gnu packages linux)
39 #:use-module (gnu packages networking)
40 #:use-module (gnu packages pcre)
41 #:use-module (gnu packages pkg-config)
42 #:use-module (gnu packages python)
43 #:use-module (gnu packages python-xyz)
44 #:use-module (gnu packages swig)
45 #:use-module (gnu packages xml))
46
47 ;; Update the SELinux packages together!
48
49 (define-public libsepol
50 (package
51 (name "libsepol")
52 (version "3.2")
53 (source (origin
54 (method git-fetch)
55 (uri (git-reference
56 (url "https://github.com/SELinuxProject/selinux")
57 (commit version)))
58 (file-name (git-file-name "selinux" version))
59 (sha256
60 (base32
61 "03p3lmvrvkcvsmiczsjzhyfgxlxdkdyq0p8igv3s3hdak5n92jjn"))))
62 (build-system gnu-build-system)
63 (arguments
64 `(#:tests? #f ; tests require checkpolicy, which requires libsepol
65 #:test-target "test"
66 #:make-flags
67 (let ((out (assoc-ref %outputs "out")))
68 (list (string-append "PREFIX=" out)
69 (string-append "SHLIBDIR=" out "/lib")
70 (string-append "MAN3DIR=" out "/share/man/man3")
71 (string-append "MAN5DIR=" out "/share/man/man5")
72 (string-append "MAN8DIR=" out "/share/man/man8")
73 (string-append "CFLAGS=-Wno-error")
74 (string-append "LDFLAGS=-Wl,-rpath=" out "/lib")
75 (string-append "CC=" ,(cc-for-target))))
76 #:phases
77 (modify-phases %standard-phases
78 (delete 'configure)
79 (add-after 'unpack 'enter-dir
80 (lambda _ (chdir ,name)))
81 (add-after 'enter-dir 'portability
82 (lambda _
83 (substitute* "src/ibpkeys.c"
84 (("#include \"ibpkey_internal.h\"" line)
85 (string-append line "\n#include <inttypes.h>\n"))
86 (("%#lx") "%#\" PRIx64 \"")))))))
87 (native-inputs
88 (list flex))
89 (home-page "https://selinuxproject.org/")
90 (synopsis "Library for manipulating SELinux policies")
91 (description
92 "The libsepol library provides an API for the manipulation of SELinux
93 binary policies. It is used by @code{checkpolicy} (the policy compiler) and
94 similar tools, and programs such as @code{load_policy}, which must perform
95 specific transformations on binary policies (for example, customizing policy
96 boolean settings).")
97 (license license:lgpl2.1+)))
98
99 (define-public checkpolicy
100 (package/inherit libsepol
101 (name "checkpolicy")
102 (arguments
103 `(#:tests? #f ; there is no check target
104 #:make-flags
105 (let ((out (assoc-ref %outputs "out")))
106 (list (string-append "PREFIX=" out)
107 (string-append "LIBSEPOLA="
108 (assoc-ref %build-inputs "libsepol")
109 "/lib/libsepol.a")
110 (string-append "CC=" ,(cc-for-target))))
111 #:phases
112 (modify-phases %standard-phases
113 (delete 'configure)
114 (delete 'portability)
115 (add-after 'unpack 'enter-dir
116 (lambda _ (chdir ,name))))))
117 (inputs
118 `(("libsepol" ,libsepol)))
119 (native-inputs
120 `(("bison" ,bison)
121 ("flex" ,flex)))
122 (synopsis "Check SELinux security policy configurations and modules")
123 (description
124 "This package provides the tools \"checkpolicy\" and \"checkmodule\".
125 Checkpolicy is a program that checks and compiles a SELinux security policy
126 configuration into a binary representation that can be loaded into the kernel.
127 Checkmodule is a program that checks and compiles a SELinux security policy
128 module into a binary representation.")
129 ;; GPLv2 only
130 (license license:gpl2)))
131
132 (define-public libselinux
133 (package/inherit libsepol
134 (name "libselinux")
135 (outputs '("out" "python"))
136 (arguments
137 (substitute-keyword-arguments (package-arguments libsepol)
138 ((#:make-flags flags)
139 `(cons* "PYTHON=python3"
140 (string-append "LIBSEPOLA="
141 (assoc-ref %build-inputs "libsepol")
142 "/lib/libsepol.a")
143 (string-append "PYTHONLIBDIR="
144 (assoc-ref %outputs "python")
145 "/lib/python"
146 ,(version-major+minor (package-version python))
147 "/site-packages/")
148 ,flags))
149 ((#:phases phases)
150 `(modify-phases ,phases
151 (delete 'portability)
152 (replace 'enter-dir
153 (lambda _ (chdir ,name)))
154 (add-after 'build 'pywrap
155 (lambda* (#:key make-flags #:allow-other-keys)
156 (apply invoke "make" "pywrap" make-flags)))
157 (add-after 'install 'install-pywrap
158 (lambda* (#:key make-flags outputs #:allow-other-keys)
159 ;; The build system uses "python setup.py install" to install
160 ;; Python bindings. Instruct it to use the correct output.
161 (substitute* "src/Makefile"
162 (("--prefix=\\$\\(PREFIX\\)")
163 (string-append "--prefix=" (assoc-ref outputs "python"))))
164
165 (apply invoke "make" "install-pywrap" make-flags)))))))
166 ;; These libraries are in "Requires.private" in libselinux.pc.
167 (propagated-inputs
168 `(("libsepol" ,libsepol)
169 ("pcre" ,pcre)))
170 ;; For pywrap phase
171 (inputs
172 `(("python" ,python-wrapper)))
173 ;; These inputs are only needed for the pywrap phase.
174 (native-inputs
175 `(("swig" ,swig)
176 ("pkg-config" ,pkg-config)))
177 (synopsis "SELinux core libraries and utilities")
178 (description
179 "The libselinux library provides an API for SELinux applications to get
180 and set process and file security contexts, and to obtain security policy
181 decisions. It is required for any applications that use the SELinux API, and
182 used by all applications that are SELinux-aware. This package also includes
183 the core SELinux management utilities.")
184 (license license:public-domain)))
185
186 (define-public libsemanage
187 (package/inherit libsepol
188 (name "libsemanage")
189 (arguments
190 (substitute-keyword-arguments (package-arguments libsepol)
191 ((#:make-flags flags)
192 `(cons* "PYTHON=python3"
193 (string-append "PYTHONLIBDIR="
194 (assoc-ref %outputs "out")
195 "/lib/python"
196 ,(version-major+minor (package-version python))
197 "/site-packages/")
198 ,flags))
199 ((#:phases phases)
200 `(modify-phases ,phases
201 (delete 'portability)
202 (replace 'enter-dir
203 (lambda _ (chdir ,name)))
204 (add-before 'install 'adjust-semanage-conf-location
205 (lambda _
206 (substitute* "src/Makefile"
207 (("DEFAULT_SEMANAGE_CONF_LOCATION=/etc")
208 "DEFAULT_SEMANAGE_CONF_LOCATION=$(PREFIX)/etc"))))
209 (add-after 'build 'pywrap
210 (lambda* (#:key make-flags #:allow-other-keys)
211 (apply invoke "make" "pywrap" make-flags)))
212 (add-after 'install 'install-pywrap
213 (lambda* (#:key make-flags #:allow-other-keys)
214 (apply invoke "make" "install-pywrap" make-flags)))))))
215 (inputs
216 `(("libsepol" ,libsepol)
217 ("libselinux" ,libselinux)
218 ("audit" ,audit)
219 ;; For pywrap phase
220 ("python" ,python-wrapper)))
221 (native-inputs
222 `(("bison" ,bison)
223 ("flex" ,flex)
224 ;; For pywrap phase
225 ("swig" ,swig)
226 ("pkg-config" ,pkg-config)))
227 (synopsis "SELinux policy management libraries")
228 (description
229 "The libsemanage library provides an API for the manipulation of SELinux
230 binary policies.")
231 (license license:lgpl2.1+)))
232
233 (define-public secilc
234 (package/inherit libsepol
235 (name "secilc")
236 (arguments
237 (substitute-keyword-arguments (package-arguments libsepol)
238 ((#:make-flags flags)
239 `(let ((docbook (assoc-ref %build-inputs "docbook-xsl")))
240 (cons (string-append "XMLTO=xmlto --skip-validation -x "
241 docbook "/xml/xsl/docbook-xsl-"
242 ,(package-version docbook-xsl)
243 "/manpages/docbook.xsl")
244 ,flags)))
245 ((#:phases phases)
246 `(modify-phases ,phases
247 (delete 'portability)
248 (replace 'enter-dir
249 (lambda _ (chdir ,name)))))))
250 (inputs
251 `(("libsepol" ,libsepol)))
252 (native-inputs
253 `(("xmlto" ,xmlto)
254 ("docbook-xsl" ,docbook-xsl)))
255 (synopsis "SELinux common intermediate language (CIL) compiler")
256 (description "The SELinux CIL compiler is a compiler that converts the
257 @dfn{common intermediate language} (CIL) into a kernel binary policy file.")
258 (license license:bsd-2)))
259
260 (define-public python-sepolgen
261 (package/inherit libsepol
262 (name "python-sepolgen")
263 (arguments
264 `(#:modules ((srfi srfi-1)
265 (guix build gnu-build-system)
266 (guix build utils))
267 ,@(substitute-keyword-arguments (package-arguments libsepol)
268 ((#:phases phases)
269 `(modify-phases ,phases
270 (delete 'portability)
271 (replace 'enter-dir
272 (lambda _ (chdir "python/sepolgen")))
273 ;; By default all Python files would be installed to
274 ;; $out/gnu/store/...-python-.../, so we override the
275 ;; PACKAGEDIR to fix this.
276 (add-after 'enter-dir 'fix-target-path
277 (lambda* (#:key inputs outputs #:allow-other-keys)
278 (let ((get-python-version
279 ;; FIXME: copied from python-build-system
280 (lambda (python)
281 (let* ((version (last (string-split python #\-)))
282 (components (string-split version #\.))
283 (major+minor (take components 2)))
284 (string-join major+minor ".")))))
285 (substitute* "src/sepolgen/Makefile"
286 (("^PACKAGEDIR.*")
287 (string-append "PACKAGEDIR="
288 (assoc-ref outputs "out")
289 "/lib/python"
290 (get-python-version
291 (assoc-ref inputs "python"))
292 "/site-packages/sepolgen")))
293 (substitute* "src/share/Makefile"
294 (("\\$\\(DESTDIR\\)") (assoc-ref outputs "out")))))))))))
295 (inputs
296 `(("python" ,python-wrapper)))
297 (native-inputs '())
298 (synopsis "Python module for generating SELinux policies")
299 (description
300 "This package contains a Python module that forms the core of
301 @code{audit2allow}, a part of the package @code{policycoreutils}. The
302 sepolgen library contains: Reference Policy Representation, which are Objects
303 for representing policies and the reference policy interfaces. It has objects
304 and algorithms for representing access and sets of access in an abstract way
305 and searching that access. It also has a parser for reference policy
306 \"headers\". It contains infrastructure for parsing SELinux related messages
307 as produced by the audit system. It has facilities for generating policy
308 based on required access.")
309 ;; GPLv2 only
310 (license license:gpl2)))
311
312 (define-public python-setools
313 (package
314 (name "python-setools")
315 (version "4.1.1")
316 (source (origin
317 (method git-fetch)
318 (uri (git-reference
319 (url "https://github.com/TresysTechnology/setools")
320 (commit version)))
321 (file-name (string-append name "-" version "-checkout"))
322 (sha256
323 (base32
324 "0459xxly6zzqc5azcwk3rbbcxvj60dq08f8z6xr05y7dsbb16cg6"))))
325 (build-system python-build-system)
326 (arguments
327 `(#:tests? #f ; the test target causes a rebuild
328 #:phases
329 (modify-phases %standard-phases
330 (delete 'portability)
331 (add-after 'unpack 'set-SEPOL-variable
332 (lambda* (#:key inputs #:allow-other-keys)
333 (setenv "SEPOL"
334 (search-input-file inputs "/lib/libsepol.a"))))
335 (add-after 'unpack 'remove-Werror
336 (lambda _
337 (substitute* "setup.py"
338 (("'-Werror',") ""))
339 #t))
340 (add-after 'unpack 'fix-target-paths
341 (lambda* (#:key outputs #:allow-other-keys)
342 (substitute* "setup.py"
343 (("join\\(sys.prefix")
344 (string-append "join(\"" (assoc-ref outputs "out") "/\"")))
345 #t)))))
346 (propagated-inputs
347 (list python-networkx))
348 (inputs
349 (list libsepol libselinux))
350 (native-inputs
351 (list bison flex swig))
352 (home-page "https://github.com/TresysTechnology/setools")
353 (synopsis "Tools for SELinux policy analysis")
354 (description "SETools is a collection of graphical tools, command-line
355 tools, and libraries designed to facilitate SELinux policy analysis.")
356 ;; Some programs are under GPL, all libraries under LGPL.
357 (license (list license:lgpl2.1+
358 license:gpl2+))))
359
360 (define-public policycoreutils
361 (package/inherit libsepol
362 (name "policycoreutils")
363 (arguments
364 `(#:test-target "test"
365 #:make-flags
366 (let ((out (assoc-ref %outputs "out")))
367 (list (string-append "CC=" ,(cc-for-target))
368 (string-append "PREFIX=" out)
369 (string-append "LOCALEDIR=" out "/share/locale")
370 (string-append "BASHCOMPLETIONDIR=" out
371 "/share/bash-completion/completions")
372 "INSTALL=install -c -p"
373 "INSTALL_DIR=install -d"
374 ;; These ones are needed because some Makefiles define the
375 ;; directories relative to DESTDIR, not relative to PREFIX.
376 (string-append "SBINDIR=" out "/sbin")
377 (string-append "ETCDIR=" out "/etc")
378 (string-append "SYSCONFDIR=" out "/etc/sysconfig")
379 (string-append "MAN5DIR=" out "/share/man/man5")
380 (string-append "INSTALL_NLS_DIR=" out "/share/locale")
381 (string-append "AUTOSTARTDIR=" out "/etc/xdg/autostart")
382 (string-append "DBUSSERVICEDIR=" out "/share/dbus-1/services")
383 (string-append "SYSTEMDDIR=" out "/lib/systemd")
384 (string-append "INITDIR=" out "/etc/rc.d/init.d")
385 (string-append "SELINUXDIR=" out "/etc/selinux")))
386 #:phases
387 (modify-phases %standard-phases
388 (delete 'configure)
389 (add-after 'unpack 'enter-dir
390 (lambda _ (chdir ,name)))
391 (add-after 'enter-dir 'ignore-/usr-tests
392 (lambda* (#:key inputs #:allow-other-keys)
393 ;; Rewrite lookup paths for header files.
394 (substitute* '("newrole/Makefile"
395 "setfiles/Makefile"
396 "run_init/Makefile")
397 (("/usr(/include/security/pam_appl.h)" _ file)
398 (search-input-file inputs file))
399 (("/usr(/include/libaudit.h)" _ file)
400 (search-input-file inputs file))))))))
401 (inputs
402 `(("audit" ,audit)
403 ("pam" ,linux-pam)
404 ("libsepol" ,libsepol)
405 ("libselinux" ,libselinux)
406 ("libsemanage" ,libsemanage)))
407 (native-inputs
408 `(("gettext" ,gettext-minimal)))
409 (synopsis "SELinux core utilities")
410 (description "The policycoreutils package contains the core utilities that
411 are required for the basic operation of an SELinux-enabled GNU system and its
412 policies. These utilities include @code{load_policy} to load policies,
413 @code{setfiles} to label file systems, @code{newrole} to switch roles, and
414 @code{run_init} to run service scripts in their proper context.")
415 (license license:gpl2+)))
jackhill's copy of GNU Guix: https://guix.gnu.org/