Commit | Line | Data |
---|---|---|
f269ad25 | 1 | ;;; GNU Guix --- Functional package management for GNU |
ca56021c | 2 | ;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net> |
bb6c3d23 | 3 | ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> |
7981c0be | 4 | ;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com> |
f269ad25 RW |
5 | ;;; |
6 | ;;; This file is part of GNU Guix. | |
7 | ;;; | |
8 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
9 | ;;; under the terms of the GNU General Public License as published by | |
10 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
11 | ;;; your option) any later version. | |
12 | ;;; | |
13 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
14 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | ;;; GNU General Public License for more details. | |
17 | ;;; | |
18 | ;;; You should have received a copy of the GNU General Public License | |
19 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
20 | ||
21 | (define-module (gnu packages selinux) | |
22 | #:use-module ((guix licenses) #:prefix license:) | |
23 | #:use-module (guix packages) | |
24 | #:use-module (guix download) | |
ca56021c | 25 | #:use-module (guix git-download) |
f269ad25 RW |
26 | #:use-module (guix utils) |
27 | #:use-module (guix build-system gnu) | |
4724d729 | 28 | #:use-module (guix build-system python) |
f269ad25 | 29 | #:use-module (gnu packages) |
32be6601 | 30 | #:use-module (gnu packages admin) |
66af08fb | 31 | #:use-module (gnu packages bison) |
c837027d | 32 | #:use-module (gnu packages docbook) |
4724d729 | 33 | #:use-module (gnu packages flex) |
6ef94ecb RW |
34 | #:use-module (gnu packages gettext) |
35 | #:use-module (gnu packages glib) | |
36 | #:use-module (gnu packages linux) | |
37 | #:use-module (gnu packages networking) | |
4724d729 RW |
38 | #:use-module (gnu packages pcre) |
39 | #:use-module (gnu packages pkg-config) | |
40 | #:use-module (gnu packages python) | |
44d10b1f | 41 | #:use-module (gnu packages python-xyz) |
32be6601 | 42 | #:use-module (gnu packages swig) |
c837027d | 43 | #:use-module (gnu packages xml)) |
f269ad25 RW |
44 | |
45 | ;; Update the SELinux packages together! | |
46 | ||
47 | (define-public libsepol | |
48 | (package | |
49 | (name "libsepol") | |
9e837ea0 MB |
50 | (version "3.0") |
51 | (source (let ((release "20191204")) | |
f269ad25 | 52 | (origin |
ca56021c RW |
53 | (method git-fetch) |
54 | (uri (git-reference | |
55 | (url "https://github.com/SELinuxProject/selinux.git") | |
56 | (commit release))) | |
57 | (file-name (string-append "selinux-" release "-checkout")) | |
f269ad25 RW |
58 | (sha256 |
59 | (base32 | |
9e837ea0 | 60 | "05rpzm72cgprd0ccr6lvx9hm8j8b5nkqi4avshlsyg7s3sdlcxjs"))))) |
f269ad25 RW |
61 | (build-system gnu-build-system) |
62 | (arguments | |
63 | `(#:tests? #f ; tests require checkpolicy, which requires libsepol | |
64 | #:test-target "test" | |
65 | #:make-flags | |
7981c0be MB |
66 | (let ((out (assoc-ref %outputs "out")) |
67 | (target ,(%current-target-system))) | |
f269ad25 | 68 | (list (string-append "PREFIX=" out) |
9e837ea0 | 69 | (string-append "SHLIBDIR=" out "/lib") |
f269ad25 RW |
70 | (string-append "MAN3DIR=" out "/share/man/man3") |
71 | (string-append "MAN5DIR=" out "/share/man/man5") | |
72 | (string-append "MAN8DIR=" out "/share/man/man8") | |
73 | (string-append "LDFLAGS=-Wl,-rpath=" out "/lib") | |
7981c0be MB |
74 | (string-append "CC=" |
75 | (if target | |
76 | (string-append (assoc-ref %build-inputs "cross-gcc") | |
77 | "/bin/" target "-gcc") | |
78 | "gcc")))) | |
f269ad25 RW |
79 | #:phases |
80 | (modify-phases %standard-phases | |
81 | (delete 'configure) | |
82 | (add-after 'unpack 'enter-dir | |
50e87903 RW |
83 | (lambda _ (chdir ,name) #t)) |
84 | (add-after 'enter-dir 'portability | |
85 | (lambda _ | |
86 | (substitute* "src/ibpkeys.c" | |
87 | (("#include \"ibpkey_internal.h\"" line) | |
88 | (string-append line "\n#include <inttypes.h>\n")) | |
89 | (("%#lx") "%#\" PRIx64 \"")) | |
90 | #t))))) | |
f269ad25 RW |
91 | (native-inputs |
92 | `(("flex" ,flex))) | |
93 | (home-page "https://selinuxproject.org/") | |
94 | (synopsis "Library for manipulating SELinux policies") | |
95 | (description | |
96 | "The libsepol library provides an API for the manipulation of SELinux | |
97 | binary policies. It is used by @code{checkpolicy} (the policy compiler) and | |
98 | similar tools, and programs such as @code{load_policy}, which must perform | |
99 | specific transformations on binary policies (for example, customizing policy | |
100 | boolean settings).") | |
101 | (license license:lgpl2.1+))) | |
66af08fb RW |
102 | |
103 | (define-public checkpolicy | |
104 | (package (inherit libsepol) | |
105 | (name "checkpolicy") | |
106 | (arguments | |
107 | `(#:tests? #f ; there is no check target | |
108 | #:make-flags | |
2401678f MB |
109 | (let ((out (assoc-ref %outputs "out")) |
110 | (target ,(%current-target-system))) | |
66af08fb | 111 | (list (string-append "PREFIX=" out) |
ca56021c | 112 | (string-append "LIBSEPOLA=" |
66af08fb | 113 | (assoc-ref %build-inputs "libsepol") |
ca56021c | 114 | "/lib/libsepol.a") |
2401678f MB |
115 | (string-append "CC=" |
116 | (if target | |
117 | (string-append (assoc-ref %build-inputs "cross-gcc") | |
118 | "/bin/" target "-gcc") | |
119 | "gcc")))) | |
66af08fb RW |
120 | #:phases |
121 | (modify-phases %standard-phases | |
122 | (delete 'configure) | |
50e87903 | 123 | (delete 'portability) |
66af08fb RW |
124 | (add-after 'unpack 'enter-dir |
125 | (lambda _ (chdir ,name) #t))))) | |
126 | (inputs | |
127 | `(("libsepol" ,libsepol))) | |
128 | (native-inputs | |
129 | `(("bison" ,bison) | |
130 | ("flex" ,flex))) | |
131 | (synopsis "Check SELinux security policy configurations and modules") | |
132 | (description | |
133 | "This package provides the tools \"checkpolicy\" and \"checkmodule\". | |
134 | Checkpolicy is a program that checks and compiles a SELinux security policy | |
135 | configuration into a binary representation that can be loaded into the kernel. | |
136 | Checkmodule is a program that checks and compiles a SELinux security policy | |
137 | module into a binary representation.") | |
138 | ;; GPLv2 only | |
139 | (license license:gpl2))) | |
4724d729 RW |
140 | |
141 | (define-public libselinux | |
142 | (package (inherit libsepol) | |
143 | (name "libselinux") | |
568d0603 | 144 | (outputs '("out" "python")) |
4724d729 RW |
145 | (arguments |
146 | (substitute-keyword-arguments (package-arguments libsepol) | |
147 | ((#:make-flags flags) | |
148 | `(cons* "PYTHON=python3" | |
ca56021c RW |
149 | (string-append "LIBSEPOLA=" |
150 | (assoc-ref %build-inputs "libsepol") | |
151 | "/lib/libsepol.a") | |
9e837ea0 | 152 | (string-append "PYTHONLIBDIR=" |
568d0603 | 153 | (assoc-ref %outputs "python") |
4724d729 RW |
154 | "/lib/python" |
155 | ,(version-major+minor (package-version python)) | |
156 | "/site-packages/") | |
157 | ,flags)) | |
158 | ((#:phases phases) | |
159 | `(modify-phases ,phases | |
50e87903 | 160 | (delete 'portability) |
4724d729 RW |
161 | (replace 'enter-dir |
162 | (lambda _ (chdir ,name) #t)) | |
4724d729 RW |
163 | (add-after 'build 'pywrap |
164 | (lambda* (#:key make-flags #:allow-other-keys) | |
927c52c4 | 165 | (apply invoke "make" "pywrap" make-flags))) |
4724d729 | 166 | (add-after 'install 'install-pywrap |
9e837ea0 MB |
167 | (lambda* (#:key make-flags outputs #:allow-other-keys) |
168 | ;; The build system uses "python setup.py install" to install | |
169 | ;; Python bindings. Instruct it to use the correct output. | |
170 | (substitute* "src/Makefile" | |
171 | (("--prefix=\\$\\(PREFIX\\)") | |
172 | (string-append "--prefix=" (assoc-ref outputs "python")))) | |
173 | ||
927c52c4 | 174 | (apply invoke "make" "install-pywrap" make-flags))))))) |
9ffc1f0e KK |
175 | ;; These libraries are in "Requires.private" in libselinux.pc. |
176 | (propagated-inputs | |
4724d729 | 177 | `(("libsepol" ,libsepol) |
9ffc1f0e KK |
178 | ("pcre" ,pcre))) |
179 | ;; For pywrap phase | |
180 | (inputs | |
181 | `(("python" ,python-wrapper))) | |
4724d729 RW |
182 | ;; These inputs are only needed for the pywrap phase. |
183 | (native-inputs | |
184 | `(("swig" ,swig) | |
185 | ("pkg-config" ,pkg-config))) | |
186 | (synopsis "SELinux core libraries and utilities") | |
187 | (description | |
188 | "The libselinux library provides an API for SELinux applications to get | |
189 | and set process and file security contexts, and to obtain security policy | |
190 | decisions. It is required for any applications that use the SELinux API, and | |
191 | used by all applications that are SELinux-aware. This package also includes | |
192 | the core SELinux management utilities.") | |
193 | (license license:public-domain))) | |
32be6601 RW |
194 | |
195 | (define-public libsemanage | |
196 | (package (inherit libsepol) | |
197 | (name "libsemanage") | |
198 | (arguments | |
199 | (substitute-keyword-arguments (package-arguments libsepol) | |
200 | ((#:make-flags flags) | |
201 | `(cons* "PYTHON=python3" | |
9e837ea0 | 202 | (string-append "PYTHONLIBDIR=" |
32be6601 RW |
203 | (assoc-ref %outputs "out") |
204 | "/lib/python" | |
205 | ,(version-major+minor (package-version python)) | |
206 | "/site-packages/") | |
207 | ,flags)) | |
208 | ((#:phases phases) | |
209 | `(modify-phases ,phases | |
50e87903 | 210 | (delete 'portability) |
32be6601 RW |
211 | (replace 'enter-dir |
212 | (lambda _ (chdir ,name) #t)) | |
9e837ea0 MB |
213 | (add-before 'install 'adjust-semanage-conf-location |
214 | (lambda _ | |
215 | (substitute* "src/Makefile" | |
216 | (("DEFAULT_SEMANAGE_CONF_LOCATION=/etc") | |
217 | "DEFAULT_SEMANAGE_CONF_LOCATION=$(PREFIX)/etc")) | |
218 | #t)) | |
32be6601 RW |
219 | (add-after 'build 'pywrap |
220 | (lambda* (#:key make-flags #:allow-other-keys) | |
bb6c3d23 | 221 | (apply invoke "make" "pywrap" make-flags))) |
32be6601 RW |
222 | (add-after 'install 'install-pywrap |
223 | (lambda* (#:key make-flags #:allow-other-keys) | |
bb6c3d23 | 224 | (apply invoke "make" "install-pywrap" make-flags))))))) |
32be6601 RW |
225 | (inputs |
226 | `(("libsepol" ,libsepol) | |
227 | ("libselinux" ,libselinux) | |
228 | ("audit" ,audit) | |
32be6601 RW |
229 | ;; For pywrap phase |
230 | ("python" ,python-wrapper))) | |
231 | (native-inputs | |
232 | `(("bison" ,bison) | |
233 | ("flex" ,flex) | |
234 | ;; For pywrap phase | |
235 | ("swig" ,swig) | |
236 | ("pkg-config" ,pkg-config))) | |
237 | (synopsis "SELinux policy management libraries") | |
238 | (description | |
239 | "The libsemanage library provides an API for the manipulation of SELinux | |
240 | binary policies.") | |
241 | (license license:lgpl2.1+))) | |
c837027d RW |
242 | |
243 | (define-public secilc | |
244 | (package (inherit libsepol) | |
245 | (name "secilc") | |
246 | (arguments | |
247 | (substitute-keyword-arguments (package-arguments libsepol) | |
248 | ((#:make-flags flags) | |
249 | `(let ((docbook (assoc-ref %build-inputs "docbook-xsl"))) | |
250 | (cons (string-append "XMLTO=xmlto --skip-validation -x " | |
251 | docbook "/xml/xsl/docbook-xsl-" | |
252 | ,(package-version docbook-xsl) | |
253 | "/manpages/docbook.xsl") | |
254 | ,flags))) | |
255 | ((#:phases phases) | |
256 | `(modify-phases ,phases | |
50e87903 | 257 | (delete 'portability) |
c837027d RW |
258 | (replace 'enter-dir |
259 | (lambda _ (chdir ,name) #t)))))) | |
260 | (inputs | |
261 | `(("libsepol" ,libsepol))) | |
262 | (native-inputs | |
263 | `(("xmlto" ,xmlto) | |
264 | ("docbook-xsl" ,docbook-xsl))) | |
265 | (synopsis "SELinux common intermediate language (CIL) compiler") | |
266 | (description "The SELinux CIL compiler is a compiler that converts the | |
267 | @dfn{common intermediate language} (CIL) into a kernel binary policy file.") | |
268 | (license license:bsd-2))) | |
d7e2d273 RW |
269 | |
270 | (define-public python-sepolgen | |
271 | (package (inherit libsepol) | |
272 | (name "python-sepolgen") | |
273 | (arguments | |
274 | `(#:modules ((srfi srfi-1) | |
275 | (guix build gnu-build-system) | |
276 | (guix build utils)) | |
277 | ,@(substitute-keyword-arguments (package-arguments libsepol) | |
278 | ((#:phases phases) | |
279 | `(modify-phases ,phases | |
50e87903 | 280 | (delete 'portability) |
d7e2d273 | 281 | (replace 'enter-dir |
ca56021c | 282 | (lambda _ (chdir "python/sepolgen") #t)) |
d7e2d273 RW |
283 | ;; By default all Python files would be installed to |
284 | ;; $out/gnu/store/...-python-.../, so we override the | |
285 | ;; PACKAGEDIR to fix this. | |
286 | (add-after 'enter-dir 'fix-target-path | |
287 | (lambda* (#:key inputs outputs #:allow-other-keys) | |
288 | (let ((get-python-version | |
289 | ;; FIXME: copied from python-build-system | |
290 | (lambda (python) | |
291 | (let* ((version (last (string-split python #\-))) | |
292 | (components (string-split version #\.)) | |
293 | (major+minor (take components 2))) | |
294 | (string-join major+minor "."))))) | |
295 | (substitute* "src/sepolgen/Makefile" | |
296 | (("^PACKAGEDIR.*") | |
297 | (string-append "PACKAGEDIR=" | |
298 | (assoc-ref outputs "out") | |
299 | "/lib/python" | |
300 | (get-python-version | |
301 | (assoc-ref inputs "python")) | |
302 | "/site-packages/sepolgen"))) | |
303 | (substitute* "src/share/Makefile" | |
304 | (("\\$\\(DESTDIR\\)") (assoc-ref outputs "out")))) | |
305 | #t))))))) | |
306 | (inputs | |
307 | `(("python" ,python-wrapper))) | |
308 | (native-inputs '()) | |
309 | (synopsis "Python module for generating SELinux policies") | |
310 | (description | |
311 | "This package contains a Python module that forms the core of | |
312 | @code{audit2allow}, a part of the package @code{policycoreutils}. The | |
313 | sepolgen library contains: Reference Policy Representation, which are Objects | |
314 | for representing policies and the reference policy interfaces. It has objects | |
315 | and algorithms for representing access and sets of access in an abstract way | |
316 | and searching that access. It also has a parser for reference policy | |
317 | \"headers\". It contains infrastructure for parsing SELinux related messages | |
318 | as produced by the audit system. It has facilities for generating policy | |
319 | based on required access.") | |
320 | ;; GPLv2 only | |
321 | (license license:gpl2))) | |
41da8dbe | 322 | |
41da8dbe RW |
323 | (define-public python-setools |
324 | (package | |
325 | (name "python-setools") | |
ca56021c | 326 | (version "4.1.1") |
41da8dbe | 327 | (source (origin |
ca56021c RW |
328 | (method git-fetch) |
329 | (uri (git-reference | |
330 | (url "https://github.com/TresysTechnology/setools.git") | |
331 | (commit version))) | |
332 | (file-name (string-append name "-" version "-checkout")) | |
41da8dbe RW |
333 | (sha256 |
334 | (base32 | |
ca56021c | 335 | "0459xxly6zzqc5azcwk3rbbcxvj60dq08f8z6xr05y7dsbb16cg6")))) |
41da8dbe RW |
336 | (build-system python-build-system) |
337 | (arguments | |
338 | `(#:tests? #f ; the test target causes a rebuild | |
339 | #:phases | |
340 | (modify-phases %standard-phases | |
50e87903 | 341 | (delete 'portability) |
41da8dbe RW |
342 | (add-after 'unpack 'set-SEPOL-variable |
343 | (lambda* (#:key inputs #:allow-other-keys) | |
344 | (setenv "SEPOL" | |
345 | (string-append (assoc-ref inputs "libsepol") | |
346 | "/lib/libsepol.a")))) | |
347 | (add-after 'unpack 'remove-Werror | |
348 | (lambda _ | |
349 | (substitute* "setup.py" | |
350 | (("'-Werror',") "")) | |
351 | #t)) | |
352 | (add-after 'unpack 'fix-target-paths | |
353 | (lambda* (#:key outputs #:allow-other-keys) | |
354 | (substitute* "setup.py" | |
355 | (("join\\(sys.prefix") | |
356 | (string-append "join(\"" (assoc-ref outputs "out") "/\""))) | |
357 | #t))))) | |
358 | (propagated-inputs | |
359 | `(("python-networkx" ,python-networkx))) | |
360 | (inputs | |
361 | `(("libsepol" ,libsepol) | |
362 | ("libselinux" ,libselinux))) | |
363 | (native-inputs | |
364 | `(("bison" ,bison) | |
365 | ("flex" ,flex) | |
366 | ("swig" ,swig))) | |
367 | (home-page "https://github.com/TresysTechnology/setools") | |
368 | (synopsis "Tools for SELinux policy analysis") | |
369 | (description "SETools is a collection of graphical tools, command-line | |
370 | tools, and libraries designed to facilitate SELinux policy analysis.") | |
371 | ;; Some programs are under GPL, all libraries under LGPL. | |
372 | (license (list license:lgpl2.1+ | |
373 | license:gpl2+)))) | |
6ef94ecb RW |
374 | |
375 | (define-public policycoreutils | |
376 | (package (inherit libsepol) | |
377 | (name "policycoreutils") | |
6ef94ecb RW |
378 | (arguments |
379 | `(#:test-target "test" | |
380 | #:make-flags | |
381 | (let ((out (assoc-ref %outputs "out"))) | |
382 | (list "CC=gcc" | |
383 | (string-append "PREFIX=" out) | |
384 | (string-append "LOCALEDIR=" out "/share/locale") | |
385 | (string-append "BASHCOMPLETIONDIR=" out | |
386 | "/share/bash-completion/completions") | |
387 | "INSTALL=install -c -p" | |
388 | "INSTALL_DIR=install -d" | |
389 | ;; These ones are needed because some Makefiles define the | |
390 | ;; directories relative to DESTDIR, not relative to PREFIX. | |
391 | (string-append "SBINDIR=" out "/sbin") | |
392 | (string-append "ETCDIR=" out "/etc") | |
393 | (string-append "SYSCONFDIR=" out "/etc/sysconfig") | |
394 | (string-append "MAN5DIR=" out "/share/man/man5") | |
395 | (string-append "INSTALL_NLS_DIR=" out "/share/locale") | |
396 | (string-append "AUTOSTARTDIR=" out "/etc/xdg/autostart") | |
397 | (string-append "DBUSSERVICEDIR=" out "/share/dbus-1/services") | |
398 | (string-append "SYSTEMDDIR=" out "/lib/systemd") | |
399 | (string-append "INITDIR=" out "/etc/rc.d/init.d") | |
400 | (string-append "SELINUXDIR=" out "/etc/selinux"))) | |
401 | #:phases | |
402 | (modify-phases %standard-phases | |
403 | (delete 'configure) | |
50e87903 | 404 | (delete 'portability) |
6ef94ecb RW |
405 | (add-after 'unpack 'enter-dir |
406 | (lambda _ (chdir ,name) #t)) | |
407 | (add-after 'enter-dir 'ignore-/usr-tests | |
408 | (lambda* (#:key inputs #:allow-other-keys) | |
6ef94ecb RW |
409 | ;; Rewrite lookup paths for header files. |
410 | (substitute* '("newrole/Makefile" | |
411 | "setfiles/Makefile" | |
412 | "run_init/Makefile") | |
413 | (("/usr(/include/security/pam_appl.h)" _ file) | |
414 | (string-append (assoc-ref inputs "pam") file)) | |
415 | (("/usr(/include/libaudit.h)" _ file) | |
416 | (string-append (assoc-ref inputs "audit") file))) | |
6ef94ecb RW |
417 | #t))))) |
418 | (inputs | |
ca56021c | 419 | `(("audit" ,audit) |
6ef94ecb RW |
420 | ("pam" ,linux-pam) |
421 | ("libsepol" ,libsepol) | |
422 | ("libselinux" ,libselinux) | |
ca56021c | 423 | ("libsemanage" ,libsemanage))) |
6ef94ecb RW |
424 | (native-inputs |
425 | `(("gettext" ,gettext-minimal))) | |
426 | (synopsis "SELinux core utilities") | |
427 | (description "The policycoreutils package contains the core utilities that | |
428 | are required for the basic operation of an SELinux-enabled GNU system and its | |
429 | policies. These utilities include @code{load_policy} to load policies, | |
430 | @code{setfiles} to label file systems, @code{newrole} to switch roles, and | |
431 | @code{run_init} to run service scripts in their proper context.") | |
432 | (license license:gpl2+))) |