selinux: package bumps

[aanderse]

i don't know anything about the selinux package set on NixOS, but i ended up in an unfortunate situation where i was forced to look into this issue and resolve it

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[emilazy]

I’m afraid I also don’t know anything about the SELinux package set :)

Did I touch these packages at some point and forget about it?

[aanderse]

Did I touch these packages at some point and forget about it?

yes, though i didn't look into the details... so my apologies for the ping 🙇‍♂️

[RossComputerGuy]

Will look into this tonight.

[RossComputerGuy]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 381014 --package checkpolicy --package libsepol --package libselinux --package libsemanage --package policycoreutils

---

aarch64-linux

✅ 14 packages built:

• checkpolicy
• libselinux
• libselinux.bin (libselinux.bin.bin, libselinux.bin.dev, libselinux.bin.man)
• libselinux.dev (libselinux.dev.bin, libselinux.dev.dev, libselinux.dev.man)
• libselinux.man (libselinux.man.bin, libselinux.man.dev, libselinux.man.man)
• libsemanage
• libsemanage.dev (libsemanage.dev.dev, libsemanage.dev.man, libsemanage.dev.py)
• libsemanage.man (libsemanage.man.dev, libsemanage.man.man, libsemanage.man.py)
• libsemanage.py (libsemanage.py.dev, libsemanage.py.man, libsemanage.py.py)
• libsepol
• libsepol.bin (libsepol.bin.bin, libsepol.bin.dev, libsepol.bin.man)
• libsepol.dev (libsepol.dev.bin, libsepol.dev.dev, libsepol.dev.man)
• libsepol.man (libsepol.man.bin, libsepol.man.dev, libsepol.man.man)
• policycoreutils

[alyssais]

I think this breaks pkgsStatic.libselinux. I'll look into it.

[alyssais]

44f7af068d53085eb1066454419ba7bc0e9b6cfd is the first bad commit
commit 44f7af068d53085eb1066454419ba7bc0e9b6cfd (HEAD)
Author: Christian Göttsche <[email protected]>
Date:   Tue Nov 5 19:33:12 2024 +0100
    libselinux/utils: introduce selabel_compare
    
    Add a utility around selabel_cmp(3).
    
    Can be used by users to compare a pre-compiled fcontext file to an
    original text-based file context definition file.
    
    Can be used for development to verify compilation and parsing of the
    pre-compiled fcontext format works correctly.
    
    Signed-off-by: Christian Göttsche <[email protected]>
    Acked-by: James Carter <[email protected]>
 libselinux/utils/.gitignore        |   1 +
 libselinux/utils/selabel_compare.c | 122 +++++++++++++++++++++++++++++++++++++
 2 files changed, 123 insertions(+)
 create mode 100644 libselinux/utils/selabel_compare.c

Trying to figure out why…

[alyssais]

Okay, the patch just needs to be updated for that new program. Won't finish that tonight but will continue tomorrow.

[alyssais]

Okay I did end up finishing it tonight. If you update the URL for the first libselinux patch to https://lore.kernel.org/selinux/[email protected]/raw it should work again.

[RossComputerGuy]

Thank you @alyssais. If @aanderse doesn't add it in by tonight, I'll merge and make a follow up PR with the fix. But it's probably best if the patch gets added in along with this PR.

[aanderse]

thank you very much for your investigation on this @alyssais! and thank you for your offer to help out @RossComputerGuy!

[alyssais]

Could you please squash that last commit into the libselinux update? It's best not to leave intermediate states with broken builds where possible, as it makes bisection more difficult.

[aanderse]

all good to merge?

[alyssais]

GitHub didn't notify me of the force push :(

[aanderse]

all good - thanks for all the help on this one!