123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424 |
- ;;; GNU Guix --- Functional package management for GNU
- ;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
- ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
- ;;;
- ;;; This file is part of GNU Guix.
- ;;;
- ;;; GNU Guix is free software; you can redistribute it and/or modify it
- ;;; under the terms of the GNU General Public License as published by
- ;;; the Free Software Foundation; either version 3 of the License, or (at
- ;;; your option) any later version.
- ;;;
- ;;; GNU Guix is distributed in the hope that it will be useful, but
- ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
- ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- ;;; GNU General Public License for more details.
- ;;;
- ;;; You should have received a copy of the GNU General Public License
- ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
- (define-module (gnu packages selinux)
- #:use-module ((guix licenses) #:prefix license:)
- #:use-module (guix packages)
- #:use-module (guix download)
- #:use-module (guix git-download)
- #:use-module (guix utils)
- #:use-module (guix build-system gnu)
- #:use-module (guix build-system python)
- #:use-module (gnu packages)
- #:use-module (gnu packages admin)
- #:use-module (gnu packages bison)
- #:use-module (gnu packages docbook)
- #:use-module (gnu packages flex)
- #:use-module (gnu packages gettext)
- #:use-module (gnu packages glib)
- #:use-module (gnu packages linux)
- #:use-module (gnu packages networking)
- #:use-module (gnu packages pcre)
- #:use-module (gnu packages pkg-config)
- #:use-module (gnu packages python)
- #:use-module (gnu packages python-xyz)
- #:use-module (gnu packages swig)
- #:use-module (gnu packages textutils)
- #:use-module (gnu packages xml))
- ;; Update the SELinux packages together!
- (define-public libsepol
- (package
- (name "libsepol")
- (version "2.7")
- (source (let ((release "20170804"))
- (origin
- (method git-fetch)
- (uri (git-reference
- (url "https://github.com/SELinuxProject/selinux.git")
- (commit release)))
- (file-name (string-append "selinux-" release "-checkout"))
- (sha256
- (base32
- "1l1nn8bx08v4cxkw5kb0wgr61rfqj5ra9dh1dy5jslillj93vivq")))))
- (build-system gnu-build-system)
- (arguments
- `(#:tests? #f ; tests require checkpolicy, which requires libsepol
- #:test-target "test"
- #:make-flags
- (let ((out (assoc-ref %outputs "out")))
- (list (string-append "PREFIX=" out)
- (string-append "DESTDIR=" out)
- (string-append "MAN3DIR=" out "/share/man/man3")
- (string-append "MAN5DIR=" out "/share/man/man5")
- (string-append "MAN8DIR=" out "/share/man/man8")
- (string-append "LDFLAGS=-Wl,-rpath=" out "/lib")
- "CC=gcc"))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure)
- (add-after 'unpack 'enter-dir
- (lambda _ (chdir ,name) #t))
- (add-after 'enter-dir 'portability
- (lambda _
- (substitute* "src/ibpkeys.c"
- (("#include \"ibpkey_internal.h\"" line)
- (string-append line "\n#include <inttypes.h>\n"))
- (("%#lx") "%#\" PRIx64 \""))
- #t)))))
- (native-inputs
- `(("flex" ,flex)))
- (home-page "https://selinuxproject.org/")
- (synopsis "Library for manipulating SELinux policies")
- (description
- "The libsepol library provides an API for the manipulation of SELinux
- binary policies. It is used by @code{checkpolicy} (the policy compiler) and
- similar tools, and programs such as @code{load_policy}, which must perform
- specific transformations on binary policies (for example, customizing policy
- boolean settings).")
- (license license:lgpl2.1+)))
- (define-public checkpolicy
- (package (inherit libsepol)
- (name "checkpolicy")
- (arguments
- `(#:tests? #f ; there is no check target
- #:make-flags
- (let ((out (assoc-ref %outputs "out")))
- (list (string-append "PREFIX=" out)
- (string-append "LIBSEPOLA="
- (assoc-ref %build-inputs "libsepol")
- "/lib/libsepol.a")
- "CC=gcc"))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure)
- (delete 'portability)
- (add-after 'unpack 'enter-dir
- (lambda _ (chdir ,name) #t)))))
- (inputs
- `(("libsepol" ,libsepol)))
- (native-inputs
- `(("bison" ,bison)
- ("flex" ,flex)))
- (synopsis "Check SELinux security policy configurations and modules")
- (description
- "This package provides the tools \"checkpolicy\" and \"checkmodule\".
- Checkpolicy is a program that checks and compiles a SELinux security policy
- configuration into a binary representation that can be loaded into the kernel.
- Checkmodule is a program that checks and compiles a SELinux security policy
- module into a binary representation.")
- ;; GPLv2 only
- (license license:gpl2)))
- (define-public libselinux
- (package (inherit libsepol)
- (name "libselinux")
- (arguments
- (substitute-keyword-arguments (package-arguments libsepol)
- ((#:make-flags flags)
- `(cons* "PYTHON=python3"
- (string-append "LIBSEPOLA="
- (assoc-ref %build-inputs "libsepol")
- "/lib/libsepol.a")
- (string-append "PYSITEDIR="
- (assoc-ref %outputs "out")
- "/lib/python"
- ,(version-major+minor (package-version python))
- "/site-packages/")
- ,flags))
- ((#:phases phases)
- `(modify-phases ,phases
- (delete 'portability)
- (replace 'enter-dir
- (lambda _ (chdir ,name) #t))
- (add-after 'enter-dir 'remove-Werror
- (lambda _
- ;; GCC complains about the fact that the output does not (yet)
- ;; have an "include" directory, even though it is referenced.
- (substitute* '("src/Makefile"
- "utils/Makefile")
- (("-Werror ") ""))
- #t))
- (add-after 'build 'pywrap
- (lambda* (#:key make-flags #:allow-other-keys)
- (apply invoke "make" "pywrap" make-flags)))
- (add-after 'install 'install-pywrap
- (lambda* (#:key make-flags #:allow-other-keys)
- (apply invoke "make" "install-pywrap" make-flags)))))))
- ;; These libraries are in "Requires.private" in libselinux.pc.
- (propagated-inputs
- `(("libsepol" ,libsepol)
- ("pcre" ,pcre)))
- ;; For pywrap phase
- (inputs
- `(("python" ,python-wrapper)))
- ;; These inputs are only needed for the pywrap phase.
- (native-inputs
- `(("swig" ,swig)
- ("pkg-config" ,pkg-config)))
- (synopsis "SELinux core libraries and utilities")
- (description
- "The libselinux library provides an API for SELinux applications to get
- and set process and file security contexts, and to obtain security policy
- decisions. It is required for any applications that use the SELinux API, and
- used by all applications that are SELinux-aware. This package also includes
- the core SELinux management utilities.")
- (license license:public-domain)))
- (define-public libsemanage
- (package (inherit libsepol)
- (name "libsemanage")
- (arguments
- (substitute-keyword-arguments (package-arguments libsepol)
- ((#:make-flags flags)
- `(cons* "PYTHON=python3"
- (string-append "PYSITEDIR="
- (assoc-ref %outputs "out")
- "/lib/python"
- ,(version-major+minor (package-version python))
- "/site-packages/")
- ,flags))
- ((#:phases phases)
- `(modify-phases ,phases
- (delete 'portability)
- (replace 'enter-dir
- (lambda _ (chdir ,name) #t))
- (add-after 'build 'pywrap
- (lambda* (#:key make-flags #:allow-other-keys)
- (apply invoke "make" "pywrap" make-flags)))
- (add-after 'install 'install-pywrap
- (lambda* (#:key make-flags #:allow-other-keys)
- (apply invoke "make" "install-pywrap" make-flags)))))))
- (inputs
- `(("libsepol" ,libsepol)
- ("libselinux" ,libselinux)
- ("audit" ,audit)
- ("ustr" ,ustr)
- ;; For pywrap phase
- ("python" ,python-wrapper)))
- (native-inputs
- `(("bison" ,bison)
- ("flex" ,flex)
- ;; For pywrap phase
- ("swig" ,swig)
- ("pkg-config" ,pkg-config)))
- (synopsis "SELinux policy management libraries")
- (description
- "The libsemanage library provides an API for the manipulation of SELinux
- binary policies.")
- (license license:lgpl2.1+)))
- (define-public secilc
- (package (inherit libsepol)
- (name "secilc")
- (arguments
- (substitute-keyword-arguments (package-arguments libsepol)
- ((#:make-flags flags)
- `(let ((docbook (assoc-ref %build-inputs "docbook-xsl")))
- (cons (string-append "XMLTO=xmlto --skip-validation -x "
- docbook "/xml/xsl/docbook-xsl-"
- ,(package-version docbook-xsl)
- "/manpages/docbook.xsl")
- ,flags)))
- ((#:phases phases)
- `(modify-phases ,phases
- (delete 'portability)
- (replace 'enter-dir
- (lambda _ (chdir ,name) #t))))))
- (inputs
- `(("libsepol" ,libsepol)))
- (native-inputs
- `(("xmlto" ,xmlto)
- ("docbook-xsl" ,docbook-xsl)))
- (synopsis "SELinux common intermediate language (CIL) compiler")
- (description "The SELinux CIL compiler is a compiler that converts the
- @dfn{common intermediate language} (CIL) into a kernel binary policy file.")
- (license license:bsd-2)))
- (define-public python-sepolgen
- (package (inherit libsepol)
- (name "python-sepolgen")
- (arguments
- `(#:modules ((srfi srfi-1)
- (guix build gnu-build-system)
- (guix build utils))
- ,@(substitute-keyword-arguments (package-arguments libsepol)
- ((#:phases phases)
- `(modify-phases ,phases
- (delete 'portability)
- (replace 'enter-dir
- (lambda _ (chdir "python/sepolgen") #t))
- ;; By default all Python files would be installed to
- ;; $out/gnu/store/...-python-.../, so we override the
- ;; PACKAGEDIR to fix this.
- (add-after 'enter-dir 'fix-target-path
- (lambda* (#:key inputs outputs #:allow-other-keys)
- (let ((get-python-version
- ;; FIXME: copied from python-build-system
- (lambda (python)
- (let* ((version (last (string-split python #\-)))
- (components (string-split version #\.))
- (major+minor (take components 2)))
- (string-join major+minor ".")))))
- (substitute* "src/sepolgen/Makefile"
- (("^PACKAGEDIR.*")
- (string-append "PACKAGEDIR="
- (assoc-ref outputs "out")
- "/lib/python"
- (get-python-version
- (assoc-ref inputs "python"))
- "/site-packages/sepolgen")))
- (substitute* "src/share/Makefile"
- (("\\$\\(DESTDIR\\)") (assoc-ref outputs "out"))))
- #t)))))))
- (inputs
- `(("python" ,python-wrapper)))
- (native-inputs '())
- (synopsis "Python module for generating SELinux policies")
- (description
- "This package contains a Python module that forms the core of
- @code{audit2allow}, a part of the package @code{policycoreutils}. The
- sepolgen library contains: Reference Policy Representation, which are Objects
- for representing policies and the reference policy interfaces. It has objects
- and algorithms for representing access and sets of access in an abstract way
- and searching that access. It also has a parser for reference policy
- \"headers\". It contains infrastructure for parsing SELinux related messages
- as produced by the audit system. It has facilities for generating policy
- based on required access.")
- ;; GPLv2 only
- (license license:gpl2)))
- (define-public python-setools
- (package
- (name "python-setools")
- (version "4.1.1")
- (source (origin
- (method git-fetch)
- (uri (git-reference
- (url "https://github.com/TresysTechnology/setools.git")
- (commit version)))
- (file-name (string-append name "-" version "-checkout"))
- (sha256
- (base32
- "0459xxly6zzqc5azcwk3rbbcxvj60dq08f8z6xr05y7dsbb16cg6"))))
- (build-system python-build-system)
- (arguments
- `(#:tests? #f ; the test target causes a rebuild
- #:phases
- (modify-phases %standard-phases
- (delete 'portability)
- (add-after 'unpack 'set-SEPOL-variable
- (lambda* (#:key inputs #:allow-other-keys)
- (setenv "SEPOL"
- (string-append (assoc-ref inputs "libsepol")
- "/lib/libsepol.a"))))
- (add-after 'unpack 'remove-Werror
- (lambda _
- (substitute* "setup.py"
- (("'-Werror',") ""))
- #t))
- (add-after 'unpack 'fix-target-paths
- (lambda* (#:key outputs #:allow-other-keys)
- (substitute* "setup.py"
- (("join\\(sys.prefix")
- (string-append "join(\"" (assoc-ref outputs "out") "/\"")))
- #t)))))
- (propagated-inputs
- `(("python-networkx" ,python-networkx)))
- (inputs
- `(("libsepol" ,libsepol)
- ("libselinux" ,libselinux)))
- (native-inputs
- `(("bison" ,bison)
- ("flex" ,flex)
- ("swig" ,swig)))
- (home-page "https://github.com/TresysTechnology/setools")
- (synopsis "Tools for SELinux policy analysis")
- (description "SETools is a collection of graphical tools, command-line
- tools, and libraries designed to facilitate SELinux policy analysis.")
- ;; Some programs are under GPL, all libraries under LGPL.
- (license (list license:lgpl2.1+
- license:gpl2+))))
- (define-public policycoreutils
- (package (inherit libsepol)
- (name "policycoreutils")
- (arguments
- `(#:test-target "test"
- #:make-flags
- (let ((out (assoc-ref %outputs "out")))
- (list "CC=gcc"
- (string-append "PREFIX=" out)
- (string-append "LOCALEDIR=" out "/share/locale")
- (string-append "BASHCOMPLETIONDIR=" out
- "/share/bash-completion/completions")
- "INSTALL=install -c -p"
- "INSTALL_DIR=install -d"
- ;; These ones are needed because some Makefiles define the
- ;; directories relative to DESTDIR, not relative to PREFIX.
- (string-append "SBINDIR=" out "/sbin")
- (string-append "ETCDIR=" out "/etc")
- (string-append "SYSCONFDIR=" out "/etc/sysconfig")
- (string-append "MAN5DIR=" out "/share/man/man5")
- (string-append "INSTALL_NLS_DIR=" out "/share/locale")
- (string-append "AUTOSTARTDIR=" out "/etc/xdg/autostart")
- (string-append "DBUSSERVICEDIR=" out "/share/dbus-1/services")
- (string-append "SYSTEMDDIR=" out "/lib/systemd")
- (string-append "INITDIR=" out "/etc/rc.d/init.d")
- (string-append "SELINUXDIR=" out "/etc/selinux")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure)
- (delete 'portability)
- (add-after 'unpack 'enter-dir
- (lambda _ (chdir ,name) #t))
- (add-after 'enter-dir 'ignore-/usr-tests
- (lambda* (#:key inputs #:allow-other-keys)
- ;; The Makefile decides to build restorecond only if it finds the
- ;; inotify header somewhere under /usr.
- (substitute* "Makefile"
- (("ifeq.*") "")
- (("endif.*") ""))
- ;; Rewrite lookup paths for header files.
- (substitute* '("newrole/Makefile"
- "setfiles/Makefile"
- "run_init/Makefile")
- (("/usr(/include/security/pam_appl.h)" _ file)
- (string-append (assoc-ref inputs "pam") file))
- (("/usr(/include/libaudit.h)" _ file)
- (string-append (assoc-ref inputs "audit") file)))
- #t)))))
- (inputs
- `(("audit" ,audit)
- ("pam" ,linux-pam)
- ("libsepol" ,libsepol)
- ("libselinux" ,libselinux)
- ("libsemanage" ,libsemanage)))
- (native-inputs
- `(("gettext" ,gettext-minimal)))
- (synopsis "SELinux core utilities")
- (description "The policycoreutils package contains the core utilities that
- are required for the basic operation of an SELinux-enabled GNU system and its
- policies. These utilities include @code{load_policy} to load policies,
- @code{setfiles} to label file systems, @code{newrole} to switch roles, and
- @code{run_init} to run service scripts in their proper context.")
- (license license:gpl2+)))
|