1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
3 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
4 ;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com>
5 ;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
6 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
8 ;;; This file is part of GNU Guix.
10 ;;; GNU Guix is free software; you can redistribute it and/or modify it
11 ;;; under the terms of the GNU General Public License as published by
12 ;;; the Free Software Foundation; either version 3 of the License, or (at
13 ;;; your option) any later version.
15 ;;; GNU Guix is distributed in the hope that it will be useful, but
16 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;;; GNU General Public License for more details.
20 ;;; You should have received a copy of the GNU General Public License
21 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
23 (define-module (gnu packages selinux)
24 #:use-module ((guix licenses) #:prefix license:)
25 #:use-module (guix packages)
26 #:use-module (guix download)
27 #:use-module (guix git-download)
28 #:use-module (guix utils)
29 #:use-module (guix build-system gnu)
30 #:use-module (guix build-system python)
31 #:use-module (gnu packages)
32 #:use-module (gnu packages admin)
33 #:use-module (gnu packages bison)
34 #:use-module (gnu packages docbook)
35 #:use-module (gnu packages flex)
36 #:use-module (gnu packages gettext)
37 #:use-module (gnu packages glib)
38 #:use-module (gnu packages linux)
39 #:use-module (gnu packages networking)
40 #:use-module (gnu packages pcre)
41 #:use-module (gnu packages pkg-config)
42 #:use-module (gnu packages python)
43 #:use-module (gnu packages python-xyz)
44 #:use-module (gnu packages swig)
45 #:use-module (gnu packages xml))
47 ;; Update the SELinux packages together!
49 (define-public libsepol
56 (url "https://github.com/SELinuxProject/selinux")
58 (file-name (git-file-name "selinux" version))
61 "03p3lmvrvkcvsmiczsjzhyfgxlxdkdyq0p8igv3s3hdak5n92jjn"))))
62 (build-system gnu-build-system)
64 `(#:tests? #f ; tests require checkpolicy, which requires libsepol
67 (let ((out (assoc-ref %outputs "out")))
68 (list (string-append "PREFIX=" out)
69 (string-append "SHLIBDIR=" out "/lib")
70 (string-append "MAN3DIR=" out "/share/man/man3")
71 (string-append "MAN5DIR=" out "/share/man/man5")
72 (string-append "MAN8DIR=" out "/share/man/man8")
73 (string-append "CFLAGS=-Wno-error")
74 (string-append "LDFLAGS=-Wl,-rpath=" out "/lib")
75 (string-append "CC=" ,(cc-for-target))))
77 (modify-phases %standard-phases
79 (add-after 'unpack 'enter-dir
80 (lambda _ (chdir ,name)))
81 (add-after 'enter-dir 'portability
83 (substitute* "src/ibpkeys.c"
84 (("#include \"ibpkey_internal.h\"" line)
85 (string-append line "\n#include <inttypes.h>\n"))
86 (("%#lx") "%#\" PRIx64 \"")))))))
89 (home-page "https://selinuxproject.org/")
90 (synopsis "Library for manipulating SELinux policies")
92 "The libsepol library provides an API for the manipulation of SELinux
93 binary policies. It is used by @code{checkpolicy} (the policy compiler) and
94 similar tools, and programs such as @code{load_policy}, which must perform
95 specific transformations on binary policies (for example, customizing policy
97 (license license:lgpl2.1+)))
99 (define-public checkpolicy
100 (package/inherit libsepol
103 `(#:tests? #f ; there is no check target
105 (let ((out (assoc-ref %outputs "out")))
106 (list (string-append "PREFIX=" out)
107 (string-append "LIBSEPOLA="
108 (assoc-ref %build-inputs "libsepol")
110 (string-append "CC=" ,(cc-for-target))))
112 (modify-phases %standard-phases
114 (delete 'portability)
115 (add-after 'unpack 'enter-dir
116 (lambda _ (chdir ,name))))))
118 `(("libsepol" ,libsepol)))
122 (synopsis "Check SELinux security policy configurations and modules")
124 "This package provides the tools \"checkpolicy\" and \"checkmodule\".
125 Checkpolicy is a program that checks and compiles a SELinux security policy
126 configuration into a binary representation that can be loaded into the kernel.
127 Checkmodule is a program that checks and compiles a SELinux security policy
128 module into a binary representation.")
130 (license license:gpl2)))
132 (define-public libselinux
133 (package/inherit libsepol
135 (outputs '("out" "python"))
137 (substitute-keyword-arguments (package-arguments libsepol)
138 ((#:make-flags flags)
139 `(cons* "PYTHON=python3"
140 (string-append "LIBSEPOLA="
141 (assoc-ref %build-inputs "libsepol")
143 (string-append "PYTHONLIBDIR="
144 (assoc-ref %outputs "python")
146 ,(version-major+minor (package-version python))
150 `(modify-phases ,phases
151 (delete 'portability)
153 (lambda _ (chdir ,name)))
154 (add-after 'build 'pywrap
155 (lambda* (#:key make-flags #:allow-other-keys)
156 (apply invoke "make" "pywrap" make-flags)))
157 (add-after 'install 'install-pywrap
158 (lambda* (#:key make-flags outputs #:allow-other-keys)
159 ;; The build system uses "python setup.py install" to install
160 ;; Python bindings. Instruct it to use the correct output.
161 (substitute* "src/Makefile"
162 (("--prefix=\\$\\(PREFIX\\)")
163 (string-append "--prefix=" (assoc-ref outputs "python"))))
165 (apply invoke "make" "install-pywrap" make-flags)))))))
166 ;; These libraries are in "Requires.private" in libselinux.pc.
168 `(("libsepol" ,libsepol)
172 `(("python" ,python-wrapper)))
173 ;; These inputs are only needed for the pywrap phase.
176 ("pkg-config" ,pkg-config)))
177 (synopsis "SELinux core libraries and utilities")
179 "The libselinux library provides an API for SELinux applications to get
180 and set process and file security contexts, and to obtain security policy
181 decisions. It is required for any applications that use the SELinux API, and
182 used by all applications that are SELinux-aware. This package also includes
183 the core SELinux management utilities.")
184 (license license:public-domain)))
186 (define-public libsemanage
187 (package/inherit libsepol
190 (substitute-keyword-arguments (package-arguments libsepol)
191 ((#:make-flags flags)
192 `(cons* "PYTHON=python3"
193 (string-append "PYTHONLIBDIR="
194 (assoc-ref %outputs "out")
196 ,(version-major+minor (package-version python))
200 `(modify-phases ,phases
201 (delete 'portability)
203 (lambda _ (chdir ,name)))
204 (add-before 'install 'adjust-semanage-conf-location
206 (substitute* "src/Makefile"
207 (("DEFAULT_SEMANAGE_CONF_LOCATION=/etc")
208 "DEFAULT_SEMANAGE_CONF_LOCATION=$(PREFIX)/etc"))))
209 (add-after 'build 'pywrap
210 (lambda* (#:key make-flags #:allow-other-keys)
211 (apply invoke "make" "pywrap" make-flags)))
212 (add-after 'install 'install-pywrap
213 (lambda* (#:key make-flags #:allow-other-keys)
214 (apply invoke "make" "install-pywrap" make-flags)))))))
216 `(("libsepol" ,libsepol)
217 ("libselinux" ,libselinux)
220 ("python" ,python-wrapper)))
226 ("pkg-config" ,pkg-config)))
227 (synopsis "SELinux policy management libraries")
229 "The libsemanage library provides an API for the manipulation of SELinux
231 (license license:lgpl2.1+)))
233 (define-public secilc
234 (package/inherit libsepol
237 (substitute-keyword-arguments (package-arguments libsepol)
238 ((#:make-flags flags)
239 `(let ((docbook (assoc-ref %build-inputs "docbook-xsl")))
240 (cons (string-append "XMLTO=xmlto --skip-validation -x "
241 docbook "/xml/xsl/docbook-xsl-"
242 ,(package-version docbook-xsl)
243 "/manpages/docbook.xsl")
246 `(modify-phases ,phases
247 (delete 'portability)
249 (lambda _ (chdir ,name)))))))
251 `(("libsepol" ,libsepol)))
254 ("docbook-xsl" ,docbook-xsl)))
255 (synopsis "SELinux common intermediate language (CIL) compiler")
256 (description "The SELinux CIL compiler is a compiler that converts the
257 @dfn{common intermediate language} (CIL) into a kernel binary policy file.")
258 (license license:bsd-2)))
260 (define-public python-sepolgen
261 (package/inherit libsepol
262 (name "python-sepolgen")
264 `(#:modules ((srfi srfi-1)
265 (guix build gnu-build-system)
267 ,@(substitute-keyword-arguments (package-arguments libsepol)
269 `(modify-phases ,phases
270 (delete 'portability)
272 (lambda _ (chdir "python/sepolgen")))
273 ;; By default all Python files would be installed to
274 ;; $out/gnu/store/...-python-.../, so we override the
275 ;; PACKAGEDIR to fix this.
276 (add-after 'enter-dir 'fix-target-path
277 (lambda* (#:key inputs outputs #:allow-other-keys)
278 (let ((get-python-version
279 ;; FIXME: copied from python-build-system
281 (let* ((version (last (string-split python #\-)))
282 (components (string-split version #\.))
283 (major+minor (take components 2)))
284 (string-join major+minor ".")))))
285 (substitute* "src/sepolgen/Makefile"
287 (string-append "PACKAGEDIR="
288 (assoc-ref outputs "out")
291 (assoc-ref inputs "python"))
292 "/site-packages/sepolgen")))
293 (substitute* "src/share/Makefile"
294 (("\\$\\(DESTDIR\\)") (assoc-ref outputs "out")))))))))))
296 `(("python" ,python-wrapper)))
298 (synopsis "Python module for generating SELinux policies")
300 "This package contains a Python module that forms the core of
301 @code{audit2allow}, a part of the package @code{policycoreutils}. The
302 sepolgen library contains: Reference Policy Representation, which are Objects
303 for representing policies and the reference policy interfaces. It has objects
304 and algorithms for representing access and sets of access in an abstract way
305 and searching that access. It also has a parser for reference policy
306 \"headers\". It contains infrastructure for parsing SELinux related messages
307 as produced by the audit system. It has facilities for generating policy
308 based on required access.")
310 (license license:gpl2)))
312 (define-public python-setools
314 (name "python-setools")
319 (url "https://github.com/TresysTechnology/setools")
321 (file-name (string-append name "-" version "-checkout"))
324 "0459xxly6zzqc5azcwk3rbbcxvj60dq08f8z6xr05y7dsbb16cg6"))))
325 (build-system python-build-system)
327 `(#:tests? #f ; the test target causes a rebuild
329 (modify-phases %standard-phases
330 (delete 'portability)
331 (add-after 'unpack 'set-SEPOL-variable
332 (lambda* (#:key inputs #:allow-other-keys)
334 (search-input-file inputs "/lib/libsepol.a"))))
335 (add-after 'unpack 'remove-Werror
337 (substitute* "setup.py"
340 (add-after 'unpack 'fix-target-paths
341 (lambda* (#:key outputs #:allow-other-keys)
342 (substitute* "setup.py"
343 (("join\\(sys.prefix")
344 (string-append "join(\"" (assoc-ref outputs "out") "/\"")))
347 (list python-networkx))
349 (list libsepol libselinux))
351 (list bison flex swig))
352 (home-page "https://github.com/TresysTechnology/setools")
353 (synopsis "Tools for SELinux policy analysis")
354 (description "SETools is a collection of graphical tools, command-line
355 tools, and libraries designed to facilitate SELinux policy analysis.")
356 ;; Some programs are under GPL, all libraries under LGPL.
357 (license (list license:lgpl2.1+
360 (define-public policycoreutils
361 (package/inherit libsepol
362 (name "policycoreutils")
364 `(#:test-target "test"
366 (let ((out (assoc-ref %outputs "out")))
367 (list (string-append "CC=" ,(cc-for-target))
368 (string-append "PREFIX=" out)
369 (string-append "LOCALEDIR=" out "/share/locale")
370 (string-append "BASHCOMPLETIONDIR=" out
371 "/share/bash-completion/completions")
372 "INSTALL=install -c -p"
373 "INSTALL_DIR=install -d"
374 ;; These ones are needed because some Makefiles define the
375 ;; directories relative to DESTDIR, not relative to PREFIX.
376 (string-append "SBINDIR=" out "/sbin")
377 (string-append "ETCDIR=" out "/etc")
378 (string-append "SYSCONFDIR=" out "/etc/sysconfig")
379 (string-append "MAN5DIR=" out "/share/man/man5")
380 (string-append "INSTALL_NLS_DIR=" out "/share/locale")
381 (string-append "AUTOSTARTDIR=" out "/etc/xdg/autostart")
382 (string-append "DBUSSERVICEDIR=" out "/share/dbus-1/services")
383 (string-append "SYSTEMDDIR=" out "/lib/systemd")
384 (string-append "INITDIR=" out "/etc/rc.d/init.d")
385 (string-append "SELINUXDIR=" out "/etc/selinux")))
387 (modify-phases %standard-phases
389 (add-after 'unpack 'enter-dir
390 (lambda _ (chdir ,name)))
391 (add-after 'enter-dir 'ignore-/usr-tests
392 (lambda* (#:key inputs #:allow-other-keys)
393 ;; Rewrite lookup paths for header files.
394 (substitute* '("newrole/Makefile"
397 (("/usr(/include/security/pam_appl.h)" _ file)
398 (search-input-file inputs file))
399 (("/usr(/include/libaudit.h)" _ file)
400 (search-input-file inputs file))))))))
404 ("libsepol" ,libsepol)
405 ("libselinux" ,libselinux)
406 ("libsemanage" ,libsemanage)))
408 `(("gettext" ,gettext-minimal)))
409 (synopsis "SELinux core utilities")
410 (description "The policycoreutils package contains the core utilities that
411 are required for the basic operation of an SELinux-enabled GNU system and its
412 policies. These utilities include @code{load_policy} to load policies,
413 @code{setfiles} to label file systems, @code{newrole} to switch roles, and
414 @code{run_init} to run service scripts in their proper context.")
415 (license license:gpl2+)))