| blob | 4d5cbbb11e32a7ea5723b5c81766fc15dbb8c462 |
1 {
2 lib,
3 stdenv,
4 fetchurl,
5 fetchpatch,
6 buildPackages,
7 pcre2,
8 pkg-config,
9 libsepol,
10 enablePython ? false,
11 swig ? null,
12 python3 ? null,
13 python3Packages ? null,
14 fts,
15 }:
17 assert enablePython -> swig != null && python3 != null;
19 stdenv.mkDerivation (
20 rec {
21 pname = "libselinux";
22 version = "3.7";
23 inherit (libsepol) se_url;
25 outputs = [
26 "bin"
27 "out"
28 "dev"
29 "man"
30 ] ++ lib.optional enablePython "py";
32 src = fetchurl {
33 url = "${se_url}/${version}/libselinux-${version}.tar.gz";
34 hash = "sha256-6gP0LROk+VdXmX26jPCyYyH6xdLxZEGLTMhWqS0rF70=";
35 };
37 patches = [
38 # Make it possible to disable shared builds (for pkgsStatic).
39 #
40 # We can't use fetchpatch because it processes includes/excludes
41 # /after/ stripping the prefix, which wouldn't work here because
42 # there would be no way to distinguish between
43 # e.g. libselinux/src/Makefile and libsepol/src/Makefile.
44 #
45 # This is a static email, so we shouldn't have to worry about
46 # normalizing the patch.
47 (fetchurl {
48 url = "https://lore.kernel.org/selinux/20211113141616.361640-1-hi@alyssa.is/raw";
49 hash = "sha256-dqxiupaJK4o00YERGWGIEIhM7sPelxBFQomAFKXQQpk=";
50 postFetch = ''
51 mv "$out" $TMPDIR/patch
52 ${buildPackages.patchutils_0_3_3}/bin/filterdiff \
53 -i 'a/libselinux/*' --strip 1 <$TMPDIR/patch >"$out"
54 '';
55 })
57 (fetchurl {
58 url = "https://git.yoctoproject.org/meta-selinux/plain/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch?id=62b9c816a5000dc01b28e78213bde26b58cbca9d";
59 hash = "sha256-RiEUibLVzfiRU6N/J187Cs1iPAih87gCZrlyRVI2abU=";
60 })
62 # libselinux: fix swig bindings for 4.3.0
63 (fetchpatch {
64 url = "https://github.com/SELinuxProject/selinux/commit/8e0e718bae53fff30831b92cd784151d475a20da.patch";
65 stripLen = 1;
66 hash = "sha256-8Nd6ketQ7/r5W0sRdheqyGWHJRZ1RfGC4ehTqnHau04=";
67 })
68 ];
70 nativeBuildInputs =
71 [
72 pkg-config
73 python3
74 ]
75 ++ lib.optionals enablePython [
76 python3Packages.pip
77 python3Packages.setuptools
78 python3Packages.wheel
79 swig
80 ];
81 buildInputs = [
82 libsepol
83 pcre2
84 fts
85 ] ++ lib.optionals enablePython [ python3 ];
87 # drop fortify here since package uses it by default, leading to compile error:
88 # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
89 hardeningDisable = [ "fortify" ];
91 env.NIX_CFLAGS_COMPILE = "-Wno-error -D_FILE_OFFSET_BITS=64";
93 makeFlags =
94 [
95 "PREFIX=$(out)"
96 "INCDIR=$(dev)/include/selinux"
97 "INCLUDEDIR=$(dev)/include"
98 "MAN3DIR=$(man)/share/man/man3"
99 "MAN5DIR=$(man)/share/man/man5"
100 "MAN8DIR=$(man)/share/man/man8"
101 "SBINDIR=$(bin)/sbin"
102 "SHLIBDIR=$(out)/lib"
104 "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
105 "ARCH=${stdenv.hostPlatform.linuxArch}"
106 ]
107 ++ lib.optionals (fts != null) [
108 "FTS_LDLIBS=-lfts"
109 ]
110 ++ lib.optionals stdenv.hostPlatform.isStatic [
111 "DISABLE_SHARED=y"
112 ]
113 ++ lib.optionals enablePython [
114 "PYTHON=${python3.pythonOnBuildForHost.interpreter}"
115 "PYTHONLIBDIR=$(py)/${python3.sitePackages}"
116 "PYTHON_SETUP_ARGS=--no-build-isolation"
117 ];
119 preInstall = lib.optionalString enablePython ''
120 mkdir -p $py/${python3.sitePackages}/selinux
121 '';
123 installTargets = [ "install" ] ++ lib.optional enablePython "install-pywrap";
125 meta = removeAttrs libsepol.meta [ "outputsToInstall" ] // {
126 description = "SELinux core library";
127 };
128 }
129 //
130 lib.optionalAttrs (stdenv.cc.bintools.isLLVM && lib.versionAtLeast stdenv.cc.bintools.version "17")
131 {
132 NIX_LDFLAGS = "--undefined-version";
133 }
134 )