Merge remote-tracking branch 'origin/master' into staging

22 files changed, 215 insertions, 344 deletions

diff --git a/pkgs/os-specific/linux/checkpolicy/default.nix b/pkgs/os-specific/linux/checkpolicy/default.nix
index 8e01bb2a5c8..6ea73c9ac6c 100644
--- a/pkgs/os-specific/linux/checkpolicy/default.nix
+++ b/pkgs/os-specific/linux/checkpolicy/default.nix
@@ -2,27 +2,18 @@
 
 stdenv.mkDerivation rec {
   name = "checkpolicy-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/checkpolicy-${version}.tar.gz";
-    sha256 = "1m5wjm43lzp6bld8higsvdm2dkddydihhwv9qw2w9r4dm0largcv";
+    sha256 = "009j9jc0hi4l7k8f21hn8fm25n0mqgzdpd4nk30nds6d3nglf4sl";
   };
 
-  # Don't build tests
-  postPatch = ''
-    sed '/-C test/d' -i Makefile
-    sed '1i#include <ctype.h>' -i checkpolicy.c
-  '';
-
   nativeBuildInputs = [ bison flex ];
   buildInputs = [ libsepol ];
 
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-
   preBuild = ''
-    makeFlagsArray+=("LEX=flex")
     makeFlagsArray+=("LIBDIR=${libsepol}/lib")
     makeFlagsArray+=("PREFIX=$out")
   '';
diff --git a/pkgs/os-specific/linux/dbus-broker/default.nix b/pkgs/os-specific/linux/dbus-broker/default.nix
index 5d0728b7e24..67e4df3d6f9 100644
--- a/pkgs/os-specific/linux/dbus-broker/default.nix
+++ b/pkgs/os-specific/linux/dbus-broker/default.nix
@@ -17,8 +17,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ dbus glib linuxHeaders systemd ];
 
-  PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
-  PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "${placeholder "out"}/lib/systemd/user";
+  PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "lib/systemd/system";
+  PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "lib/systemd/user";
 
   postInstall = ''
     install -Dm644 ../README $out/share/doc/dbus-broker/README
diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix
index 9ed691d69f0..e3f382ababc 100644
--- a/pkgs/os-specific/linux/ena/default.nix
+++ b/pkgs/os-specific/linux/ena/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel, kmod }:
 
 stdenv.mkDerivation rec {
-  version = "1.5.0";
+  version = "1.5.2";
   name = "ena-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "amzn";
     repo = "amzn-drivers";
     rev = "ena_linux_${version}";
-    sha256 = "1h3vnwa2129advyws69n0sqyra4nz68mng6g84whbvhzjyx810sj";
+    sha256 = "18wf36092kr3zlpnqdkcdlim3vvjxy5f24zzsv4fwa7xg12mcfjm";
   };
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
index acdba5987bb..206787ecb8b 100644
--- a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
@@ -2,51 +2,12 @@
 
 stdenv.mkDerivation rec {
   name = "firmware-linux-nonfree-${version}";
-  version = "2018-01-04-${src.iwlRev}";
+  version = "2018-03-20";
 
-  # The src runCommand automates the process of building a merged repository of both
-  #
-  # https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/
-  # https://git.kernel.org/cgit/linux/kernel/git/iwlwifi/linux-firmware.git/
-  #
-  # This gives us up to date iwlwifi firmware as well as
-  # the usual set of firmware. firmware/linux-firmware usually lags kernel releases
-  # so iwlwifi cards will fail to load on newly released kernels.
-  #
-  # To update, go to the above repositories and look for latest tags / commits, then
-  # update version to the more recent commit date
-
-  src = runCommand "firmware-linux-nonfree-src-merged-${version}" {
-    shallowSince = "2017-10-01";
-    baseRev = "65b1c68c63f974d72610db38dfae49861117cae2";
-    iwlRev = "iwlwifi-fw-2017-11-15";
-
-    # When updating this, you need to let it run with a wrong hash, in order to find out the desired hash
-    # randomly mutate the hash to break out of fixed hash, when updating
-    outputHash = "1anr7fblxfcrfrrgq98kzy64yrwygc2wdgi47skdmjxhi3wbrvxz";
-
-    outputHashAlgo = "sha256";
-    outputHashMode = "recursive";
-
-    # Doing the download on a remote machine just duplicates network
-    # traffic, so don't do that.
-    preferLocalBuild = true;
-
-    nativeBuildInputs = [ cacert git gnupg ];
-  } ''
-    git init src && (
-      cd src
-      git config user.email "build-daemon@nixos.org"
-      git config user.name "Nixos Build Daemon $name"
-      git remote add base https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
-      git remote add iwl https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/linux-firmware.git
-      git fetch --shallow-since=$shallowSince base
-      git fetch --shallow-since=$shallowSince iwl
-      git checkout -b work $baseRev
-      git merge $iwlRev)
-    rm -rf src/.git
-    cp -a src $out
-  '';
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
+    sha256 = "1gh5a2km33jj151j3q7mgkjzzhaaxlqxbb53n4ff46q658gv0wma";
+  };
 
   preInstall = ''
     mkdir -p $out
diff --git a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
index 5aae37418ce..f5e219bc74e 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
@@ -1,15 +1,15 @@
 { stdenv, buildPackages, hostPlatform, fetchgit, perl, buildLinux, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.15.2018.02.09";
+  version = "4.15.2018.03.22";
   modDirVersion = "4.15.0";
   extraMeta.branch = "master";
-  extraMeta.maintainers = [ stdenv.lib.maintainers.davidak ];
+  extraMeta.maintainers = [ stdenv.lib.maintainers.davidak stdenv.lib.maintainers.chiiruno ];
 
   src = fetchgit {
     url = "https://evilpiepirate.org/git/bcachefs.git";
-    rev = "4506cd5ead31209a6a646c2412cbc7be735ebda4";
-    sha256 = "0fcyf3y27k2lga5na4dhdyc47br840gkqynv8gix297pqxgidrib";
+    rev = "919a34d47a68f3e5f00a7ce5efb67748ec31bd62";
+    sha256 = "1j17my3046ry8zdcvf8h2vnij89wkwmv64w3g2pf9lksh2909djw";
   };
 
   extraConfig = ''
diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix
index bcc1ec14561..5e8e861af25 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing.nix
@@ -1,13 +1,13 @@
 { stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, libelf, utillinux, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.16-rc6";
-  modDirVersion = "4.16.0-rc6";
+  version = "4.16-rc7";
+  modDirVersion = "4.16.0-rc7";
   extraMeta.branch = "4.16";
 
   src = fetchurl {
     url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz";
-    sha256 = "0kwn1qj44pyb404qhwm4qr8mmfni8qfh1raf010d62i48n7pgv0d";
+    sha256 = "13zpfjxd38202afjl6flc9brjw3sp4sfq3wls0v90k1i2b308qfi";
   };
 
   # Should the testing kernels ever be built on Hydra?
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index c4c5b7cc3b9..26f3d89c662 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -22,5 +22,6 @@ stdenv.mkDerivation rec {
     homepage = http://horms.net/projects/kexec/kexec-tools;
     description = "Tools related to the kexec Linux feature";
     platforms = platforms.linux;
+    badPlatforms = platforms.riscv;
   };
 }
diff --git a/pkgs/os-specific/linux/libselinux/default.nix b/pkgs/os-specific/linux/libselinux/default.nix
index c276f56dd8b..59d5db52ac6 100644
--- a/pkgs/os-specific/linux/libselinux/default.nix
+++ b/pkgs/os-specific/linux/libselinux/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, pkgconfig, libsepol, pcre
+{ stdenv, fetchurl, pcre, pkgconfig, libsepol
 , enablePython ? true, swig ? null, python ? null
 , musl-fts
 }:
@@ -9,12 +9,12 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "libselinux-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libselinux-${version}.tar.gz";
-    sha256 = "0yqg73ns97jwjh1iyv0jr5qxb8k5sqq5ywfkx11lzfn5yj8k0126";
+    sha256 = "0mwcq78v6ngbq06xmb9dvilpg0jnl2vs9fgrpakhmmiskdvc1znh";
   };
 
   nativeBuildInputs = [ pkgconfig ];
@@ -22,36 +22,24 @@ stdenv.mkDerivation rec {
              ++ optionals enablePython [ swig python ]
              ++ optional stdenv.hostPlatform.isMusl musl-fts;
 
-  # Avoid this false warning:
-  # avc_internal.c: In function 'avc_netlink_receive':
-  # avc_internal.c:105:25: error: cast increases required alignment of target type [-Werror=cast-align]
-  #  struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
-  #                         ^
+  # drop fortify here since package uses it by default, leading to compile error:
+  # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
+  hardeningDisable = [ "fortify" ];
 
-  NIX_CFLAGS_COMPILE = "-std=gnu89 -Wno-error=cast-align";
-
-  # Unreleased upstream patch that fixes Python package issue arising
-  # from recent SWIG changes.
-  patches = optional enablePython (fetchpatch {
-    name = "fix-python-swig.patch";
-    url = "https://github.com/SELinuxProject/selinux/commit/a9604c30a5e2f71007d31aa6ba41cf7b95d94822.patch";
-    sha256 = "0mjrclh0sd8m7vq0wvl6pg29ss415j3kn0266v8ixy4fprafagfp";
-    stripLen = 1;
-  });
+  NIX_CFLAGS_COMPILE = [ "-Wno-error" ];
 
   postPatch = optionalString enablePython ''
     sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile
-  ''
-  + ''
-    sed '1i#include <sys/uio.h>' -i src/setrans_client.c
   '';
 
+  # fix install locations
   preBuild = ''
-    # Build fails without this precreated
-    mkdir -p $out/include
-
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
+    makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
+    makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
   '';
 
   installTargets = [ "install" ] ++ optional enablePython "install-pywrap";
diff --git a/pkgs/os-specific/linux/libsemanage/default.nix b/pkgs/os-specific/linux/libsemanage/default.nix
index 587349e4067..45222bee6b0 100644
--- a/pkgs/os-specific/linux/libsemanage/default.nix
+++ b/pkgs/os-specific/linux/libsemanage/default.nix
@@ -1,31 +1,33 @@
-{ stdenv, fetchurl, bison, flex, libsepol, libselinux, ustr, bzip2, libaudit }:
+{ stdenv, fetchurl, pkgconfig, bison, flex, libsepol, libselinux, bzip2, libaudit
+, enablePython ? true, swig ? null, python ? null
+}:
+
+with stdenv.lib;
 
 stdenv.mkDerivation rec {
   name = "libsemanage-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libsemanage-${version}.tar.gz";
-    sha256 = "1134ka4mi4387ac5yv68bpp2y7ln5xxhwp07xhqnay0nxzjaqk0s";
+    sha256 = "0xnlp1yg8b1aqc6kq3pss1i1nl06rfj4x4pyl5blasnf2ivlgs87";
   };
 
-  nativeBuildInputs = [ bison flex ];
-  buildInputs = [ libsepol libselinux ustr bzip2 libaudit ];
-
-  NIX_CFLAGS_COMPILE = [
-    "-fstack-protector-all"
-    "-std=gnu89"
-    # these were added to fix build with gcc7. review on update
-    "-Wno-error=format-truncation"
-    "-Wno-error=implicit-fallthrough"
-  ];
+  nativeBuildInputs = [ bison flex pkgconfig ];
+  buildInputs = [ libsepol libselinux bzip2 libaudit ]
+    ++ optionals enablePython [ swig python ];
 
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
+    makeFlagsArray+=("PYSITEDIR=$out/lib/${python.libPrefix}/site-packages")
   '';
 
+  installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
+
   meta = libsepol.meta // {
     description = "Policy management tools for SELinux";
     license = stdenv.lib.licenses.lgpl21;
diff --git a/pkgs/os-specific/linux/libsepol/default.nix b/pkgs/os-specific/linux/libsepol/default.nix
index f7f393afb39..40872f7c1ac 100644
--- a/pkgs/os-specific/linux/libsepol/default.nix
+++ b/pkgs/os-specific/linux/libsepol/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "libsepol-${version}";
-  version = "2.4";
-  se_release = "20150202";
+  version = "2.7";
+  se_release = "20170804";
   se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libsepol-${version}.tar.gz";
-    sha256 = "0ncnwhpc1gx4hrrb822fqkwy5h75zzngsrfkd5mlqh1jk7aib419";
+    sha256 = "1rzr90d3f1g5wy1b8sh6fgnqb9migys2zgpjmpakn6lhxkc3p7fn";
   };
 
   nativeBuildInputs = [ flex ];
@@ -16,9 +16,11 @@ stdenv.mkDerivation rec {
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("MAN8DIR=$out/share/man/man8")
+    makeFlagsArray+=("MAN3DIR=$out/share/man/man3")
   '';
 
-  NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ];
+  NIX_CFLAGS_COMPILE = [ "-Wno-error" ];
 
   passthru = { inherit se_release se_url; };
 
diff --git a/pkgs/os-specific/linux/nvidia-x11/builder-legacy173.sh b/pkgs/os-specific/linux/nvidia-x11/builder-legacy173.sh
deleted file mode 100755
index 5d47df9a87a..00000000000
--- a/pkgs/os-specific/linux/nvidia-x11/builder-legacy173.sh
+++ /dev/null
@@ -1,99 +0,0 @@
-source $stdenv/setup
-
-dontPatchELF=1 # must keep libXv, $out in RPATH
-
-
-unpackFile() {
-    sh $src -x
-}
-
-
-buildPhase() {
-    if test -z "$libsOnly"; then
-        echo "Building linux driver against kernel: " $kernel;
-
-        cd usr/src/nv/
-
-        shopt -s nullglob
-
-        for a in $kpatches; do
-          patch -p1 < $a
-        done
-
-        # Workaround: get it to build on kernels that have CONFIG_XEN
-        # set.  Disable the test, apply a patch to disable the Xen
-        # functionality.
-        
-        #substituteInPlace Makefile.kbuild --replace xen_sanity_check fnord
-        #patch -p1 < $xenPatch
-
-        # Create the module.
-        kernelVersion=$(cd $kernel/lib/modules && ls)
-        sysSource=$(echo $kernel/lib/modules/$kernelVersion/source)
-        sysOut=$(echo $kernel/lib/modules/$kernelVersion/build)
-        unset src # used by the nv makefile
-        make SYSSRC=$sysSource SYSOUT=$sysOut module
-        cd ../../..
-    fi
-}
-
-
-installPhase() {
-
-    # Install libGL and friends.
-    mkdir -p $out/lib
-    cp -prd usr/lib/* usr/X11R6/lib/libXv* $out/lib/
-
-    ln -snf libGLcore.so.$versionNumber $out/lib/libGLcore.so
-    ln -snf libGLcore.so.$versionNumber $out/lib/libGLcore.so.1
-    ln -snf libGL.so.$versionNumber $out/lib/libGL.so
-    ln -snf libGL.so.$versionNumber $out/lib/libGL.so.1
-    ln -snf libnvidia-cfg.so.$versionNumber $out/lib/libnvidia-cfg.so.1
-    ln -snf libnvidia-tls.so.$versionNumber $out/lib/libnvidia-tls.so.1
-    ln -snf libnvidia-tls.so.$versionNumber $out/lib/tls/libnvidia-tls.so.1
-    ln -snf libXvMCNVIDIA.so.$versionNumber $out/lib/libXvMCNVIDIA_dynamic.so.1
-    ln -snf libcuda.so.$versionNumber $out/lib/libcuda.so.1
-
-    patchelf --set-rpath $out/lib:$glPath $out/lib/libGL.so.*.*
-    patchelf --set-rpath $out/lib:$glPath $out/lib/libXvMCNVIDIA.so.*.*
-    set +e
-    # Legacy nvidia doesn't have cuda
-    patchelf --set-rpath $cudaPath $out/lib/libcuda.so.*.*
-    set -e
-    
-    if test -z "$libsOnly"; then
-        
-        # Install the kernel module.
-        mkdir -p $out/lib/modules/$kernelVersion/misc
-        cp usr/src/nv/nvidia.ko $out/lib/modules/$kernelVersion/misc
-
-        # Install the X driver.
-        mkdir -p $out/lib/xorg/modules
-        cp -prd usr/X11R6/lib/modules/* $out/lib/xorg/modules/
-
-        ln -snf libnvidia-wfb.so.$versionNumber $out/lib/xorg/modules/libnvidia-wfb.so.1
-        ln -snf libglx.so.$versionNumber $out/lib/xorg/modules/extensions/libglx.so
-
-        patchelf --set-rpath $out/lib $out/lib/xorg/modules/extensions/libglx.so.*.*
-
-        # Install the programs.
-        mkdir -p $out/bin
-
-        for i in nvidia-settings nvidia-xconfig; do
-	    cp usr/bin/$i $out/bin/$i
-	    patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
-	        --set-rpath $out/lib:$programPath:$glPath $out/bin/$i
-        done
-    
-        # Header files etc.
-        cp -prd usr/include usr/share $out
-
-        # Patch the `nvidia-settings.desktop' file.
-        substituteInPlace $out/share/applications/nvidia-settings.desktop \
-            --replace '__UTILS_PATH__' $out/bin \
-            --replace '__PIXMAP_PATH__' $out/share/pixmaps
-    fi
-}
-
-
-genericBuild
diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix
index d0348bd67d4..57899d6f893 100644
--- a/pkgs/os-specific/linux/nvidia-x11/default.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -46,12 +46,13 @@ rec {
     persistencedSha256 = null;
     useGLVND = false;
     useProfiles = false;
+    settings32Bit = true;
 
     prePatch = let
       debPatches = fetchurl {
         url = "mirror://debian/pool/non-free/n/nvidia-graphics-drivers-legacy-304xx/"
-            + "nvidia-graphics-drivers-legacy-304xx_304.135-2.debian.tar.xz";
-        sha256 = "0mhji0ssn7075q5a650idigs48kzf11pzj2ca2n07rwxg3vj6pdr";
+            + "nvidia-graphics-drivers-legacy-304xx_304.137-5.debian.tar.xz";
+        sha256 = "0n8512mfcnvklfbg8gv4lzbkm3z6nncwj6ix2b8ngdkmc04f3b6l";
       };
       prefix = "debian/module/debian/patches";
       applyPatches = pnames: if pnames == [] then null else
@@ -63,6 +64,4 @@ rec {
     in applyPatches [ "fix-typos" ];
     patches = maybePatch_drm_legacy;
   };
-
-  legacy_173 = callPackage ./legacy173.nix { };
 }
diff --git a/pkgs/os-specific/linux/nvidia-x11/generic.nix b/pkgs/os-specific/linux/nvidia-x11/generic.nix
index bde8ad361dc..13e5d1b76ea 100644
--- a/pkgs/os-specific/linux/nvidia-x11/generic.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/generic.nix
@@ -6,6 +6,7 @@
 , useGLVND ? true
 , useProfiles ? true
 , preferGtk2 ? false
+, settings32Bit ? false
 
 , prePatch ? ""
 , patches ? []
@@ -68,7 +69,7 @@ let
     disallowedReferences = optional (!libsOnly) [ kernel.dev ];
 
     passthru = {
-      settings = callPackage (import ./settings.nix self settingsSha256) {
+      settings = (if settings32Bit then callPackage_i686 else callPackage) (import ./settings.nix self settingsSha256) {
         withGtk2 = preferGtk2;
         withGtk3 = !preferGtk2;
       };
@@ -79,7 +80,7 @@ let
       homepage = http://www.nvidia.com/object/unix.html;
       description = "X.org driver and kernel module for NVIDIA graphics cards";
       license = licenses.unfreeRedistributable;
-      platforms = platforms.linux;
+      platforms = [ "i686-linux" "x86_64-linux" ];
       maintainers = [ maintainers.vcunat ];
       priority = 4; # resolves collision with xorg-server's "lib/xorg/modules/extensions/libglx.so"
     };
diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix
deleted file mode 100644
index 51a230974c8..00000000000
--- a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix
+++ /dev/null
@@ -1,53 +0,0 @@
-{stdenv, fetchurl, kernel, xorg, zlib, gtk2, atk, pango, glib, gdk_pixbuf}:
-
-let
-
-  versionNumber = "173.14.39";
-
-in
-
-stdenv.mkDerivation {
-  name = "nvidia-x11-${versionNumber}-${kernel.version}";
-
-  builder = ./builder-legacy173.sh;
-
-  src =
-    if stdenv.system == "i686-linux" then
-      fetchurl {
-        url = "https://download.nvidia.com/XFree86/Linux-x86/${versionNumber}/NVIDIA-Linux-x86-${versionNumber}-pkg0.run";
-        sha256 = "08xb7s7cxmj4zv4i3645kjhlhhwxiq6km9ixmsw3vv91f7rkb6d0";
-      }
-    else if stdenv.system == "x86_64-linux" then
-      fetchurl {
-        url = "https://download.nvidia.com/XFree86/Linux-x86_64/${versionNumber}/NVIDIA-Linux-x86_64-${versionNumber}-pkg0.run";
-        sha256 = "1p2ls0xj81l8v4n6dbjj3p5wlw1iyhgzyvqcv4h5fdxhhs2cb3md";
-      }
-    else throw "nvidia-x11 does not support platform ${stdenv.system}";
-
-  kernel = kernel.dev;
-
-  hardeningDisable = [ "pic" "format" ];
-
-  inherit versionNumber;
-
-  dontStrip = true;
-
-  glPath = stdenv.lib.makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr];
-
-  cudaPath = stdenv.lib.makeLibraryPath [zlib stdenv.cc.cc];
-
-  programPath = stdenv.lib.makeLibraryPath [ gtk2 atk pango glib gdk_pixbuf xorg.libXv ];
-
-  passthru = {
-    settings = null;
-    persistenced = null;
-    useGLVND = false;
-    useProfiles = false;
-  };
-
-  meta = {
-    homepage = http://www.nvidia.com/object/unix.html;
-    description = "X.org driver and kernel module for Legacy NVIDIA graphics cards";
-    license = stdenv.lib.licenses.unfree;
-  };
-}
diff --git a/pkgs/os-specific/linux/nvidia-x11/persistenced.nix b/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
index 22fd1242700..21e6cb5d500 100644
--- a/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
     homepage = http://www.nvidia.com/object/unix.html;
     description = "Settings application for NVIDIA graphics cards";
     license = licenses.unfreeRedistributable;
-    platforms = platforms.linux;
+    platforms = nvidia_x11.meta.platforms;
     maintainers = with maintainers; [ abbradar ];
   };
 }
diff --git a/pkgs/os-specific/linux/nvidia-x11/settings.nix b/pkgs/os-specific/linux/nvidia-x11/settings.nix
index 92577d03a51..e2ef51da380 100644
--- a/pkgs/os-specific/linux/nvidia-x11/settings.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/settings.nix
@@ -83,7 +83,7 @@ stdenv.mkDerivation rec {
     homepage = http://www.nvidia.com/object/unix.html;
     description = "Settings application for NVIDIA graphics cards";
     license = licenses.unfreeRedistributable;
-    platforms = platforms.linux;
+    platforms = nvidia_x11.meta.platforms;
     maintainers = with maintainers; [ abbradar ];
   };
 }
diff --git a/pkgs/os-specific/linux/policycoreutils/default.nix b/pkgs/os-specific/linux/policycoreutils/default.nix
index 980b77f8df2..a7cac46ae6a 100644
--- a/pkgs/os-specific/linux/policycoreutils/default.nix
+++ b/pkgs/os-specific/linux/policycoreutils/default.nix
@@ -1,64 +1,33 @@
-{ stdenv, fetchurl, pythonPackages, gettext
-, setools, libsepol, libselinux, libcap_ng, libsemanage, sepolgen
-}:
+{ stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }:
 
 stdenv.mkDerivation rec {
   name = "policycoreutils-${version}";
-  version = "2.4";
+  version = "2.7";
   inherit (libsepol) se_release se_url;
 
   src = fetchurl {
     url = "${se_url}/${se_release}/policycoreutils-${version}.tar.gz";
-    sha256 = "0y9l9k60iy21hj0lcvfdfxs1fxydg6d3pxp9rhy7hwr4y5vgh6dq";
+    sha256 = "1x742c7lkw30namhkw87yg7z384qzqjz0pvmqs0lk19v6958l6qa";
   };
 
-  patches = [ ./fix-printf-type.patch ];
-
   postPatch = ''
-    # Fix references to libsepol.a
-    find . -name Makefile -exec sed -i 's,[^ ]*/libsepol.a,${libsepol}/lib/libsepol.a,g' {} \;
-
     # Fix install references
-    substituteInPlace po/Makefile --replace /usr/bin/install install
-
-    # Fix references to /usr/share
-    grep -r '/usr/share' | awk -F: '{print $1}' | xargs sed -i "s,\(\$(DESTDIR)\)*/usr/share,$out/share,g"
-
-    # Fix sepolicy install
-    sed -i "s,\(setup.py install\).*,\1 --prefix=$out,g" sepolicy/Makefile
-
-    # Fix setuid install
-    sed -i 's|-m 4755|-m 755|' sandbox/Makefile
+    substituteInPlace po/Makefile \
+       --replace /usr/bin/install install --replace /usr/share /share
+    substituteInPlace newrole/Makefile --replace /usr/share /share
   '';
 
-  nativeBuildInputs = [ pythonPackages.python gettext ];
-  buildInputs = [ setools libsepol libselinux libcap_ng libsemanage ];
-  pythonPath = [ libselinux sepolgen ];
+  nativeBuildInputs = [ gettext ];
+  buildInputs = [ libsepol libselinux libsemanage ];
 
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
+    makeFlagsArray+=("LOCALEDIR=$out/share/locale")
+    makeFlagsArray+=("MAN5DIR=$out/share/man/man5")
   '';
 
-  # Creation of the system-config-selinux directory is broken
-  preInstall = ''
-    mkdir -p $out/share/system-config-selinux
-  '';
-
-  # Fix the python scripts to include paths to libraries
-  # NOTE: We are not using wrapPythonPrograms or makeWrapper as these scripts
-  # purge the environment as a security measure
-  postInstall = ''
-    grep -r '#!.*python' $out/bin | awk -F: '{print $1}' | xargs sed -i "1a \
-    import sys; \
-    sys.path.append('$(toPythonPath "$out")'); \
-    ${stdenv.lib.flip stdenv.lib.concatMapStrings pythonPath (lib: ''
-      sys.path.append('$(toPythonPath "${lib}")'); \
-    '')}"
-  '';
-
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-
   meta = with stdenv.lib; {
     description = "SELinux policy core utilities";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch b/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch
deleted file mode 100644
index 6ab2d6dccc7..00000000000
--- a/pkgs/os-specific/linux/policycoreutils/fix-printf-type.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -Nru policycoreutils-2.4/setfiles/restore.c policycoreutils-2.4.new/setfiles/restore.c
---- policycoreutils-2.4/setfiles/restore.c	2015-02-02 09:38:10.000000000 -0500
-+++ policycoreutils-2.4.new/setfiles/restore.c	2015-08-29 20:44:13.693023222 -0400
-@@ -118,7 +118,7 @@
- 		r_opts->count++;
- 		if (r_opts->count % STAR_COUNT == 0) {
- 			if (r_opts->progress == 1) {
--				fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT );
-+				fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT );
- 			} else {
- 				if (r_opts->nfile > 0) {
- 					progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100;
diff --git a/pkgs/os-specific/linux/selinux-python/default.nix b/pkgs/os-specific/linux/selinux-python/default.nix
new file mode 100644
index 00000000000..8ac207d6421
--- /dev/null
+++ b/pkgs/os-specific/linux/selinux-python/default.nix
@@ -0,0 +1,49 @@
+{ stdenv, fetchurl, python3
+, libselinux, libsemanage, libsepol, setools }:
+
+# this is python3 only because setools only supports python3
+
+with stdenv.lib;
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  name = "selinux-python-${version}";
+  version = "2.7";
+  se_release = "20170804";
+  se_url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases";
+
+  src = fetchurl {
+    url = "${se_url}/${se_release}/selinux-python-${version}.tar.gz";
+    sha256 = "1va0y4b7cah7rprh04b3ylmwqgnivpkw5z2zw68nrafdbsbcn5s2";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ libsepol python3 ];
+  propagatedBuildInputs = [ libselinux libsemanage setools ipy ];
+
+  postPatch = ''
+    substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix"
+  '';
+
+  preBuild = ''
+    makeFlagsArray+=("PREFIX=$out")
+    makeFlagsArray+=("DESTDIR=$out")
+    makeFlagsArray+=("LOCALEDIR=$out/share/locale")
+    makeFlagsArray+=("LIBSEPOLA=${libsepol}/lib/libsepol.a")
+    makeFlagsArray+=("BASHCOMPLETIONDIR=$out/share/bash-completion/completions")
+    makeFlagsArray+=("PYTHON=${python3}/bin/python")
+    makeFlagsArray+=("PYTHONLIBDIR=lib/${python3.libPrefix}/site-packages")
+  '';
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux policy core utilities written in Python";
+    license = licenses.gpl2;
+    homepage = https://selinuxproject.org;
+    platforms = platforms.linux;
+  };
+}
+
diff --git a/pkgs/os-specific/linux/selinux-sandbox/default.nix b/pkgs/os-specific/linux/selinux-sandbox/default.nix
new file mode 100644
index 00000000000..71d2ee6e80a
--- /dev/null
+++ b/pkgs/os-specific/linux/selinux-sandbox/default.nix
@@ -0,0 +1,61 @@
+{ stdenv, fetchurl, bash, coreutils, python3
+, libcap_ng, policycoreutils, selinux-python, dbus
+, xorgserver, openbox, xmodmap }:
+
+# this is python3 only as it depends on selinux-python
+
+with stdenv.lib; 
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  name = "selinux-sandbox-${version}";
+  version = "2.7";
+  se_release = "20170804";
+
+  src = fetchurl {
+    url = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${se_release}/selinux-sandbox-${version}.tar.gz";
+    sha256 = "0hf5chm90iapb42njaps6p5460ys3ajh5446ja544vdbh01n544l";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ];
+  propagatedBuildInputs = [ pygobject3 selinux-python ];
+
+  postPatch = ''
+    # Fix setuid install
+    substituteInPlace Makefile --replace "-m 4755" "-m 755"
+    substituteInPlace sandboxX.sh \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \
+      --replace "/usr/bin/cut" "${coreutils}/bin/cut" \
+      --replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \
+      --replace "secon" "${policycoreutils}/bin/secon"
+    substituteInPlace sandbox \
+      --replace "/usr/sbin/seunshare" "$out/bin/seunshare" \
+      --replace "/usr/share/sandbox" "$out/share/sandbox" \
+      --replace "/usr/share/locale" "${policycoreutils}/share/locale" \
+      --replace "/usr/bin/openbox" "${openbox}/bin/openbox" \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "dbus-" "${dbus}/bin/dbus-" \
+      --replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \
+      --replace "/usr/bin/shred" "${coreutils}/bin/shred" \
+      --replace "/usr/bin/test" "${coreutils}/bin/test" \
+  '';
+
+  preBuild = ''
+    makeFlagsArray+=("PREFIX=$out")
+    makeFlagsArray+=("DESTDIR=$out")
+  '';
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux sandbox utility";
+    license = licenses.gpl2;
+    homepage = https://selinuxproject.org;
+    platforms = platforms.linux;
+  };
+}
+
diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix
index 8262c03e1e5..9cb5785ca98 100644
--- a/pkgs/os-specific/linux/setools/default.nix
+++ b/pkgs/os-specific/linux/setools/default.nix
@@ -1,35 +1,42 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, bison, flex
-, python, swig2, tcl, libsepol, libselinux, libxml2, sqlite, bzip2 }:
+{ stdenv, fetchFromGitHub, bison, flex, python3 , swig
+, libsepol, libselinux, checkpolicy
+, withGraphics ? false
+}:
 
-stdenv.mkDerivation rec {
-  name = "setools-2015-02-12";
+with stdenv.lib;
+with python3.pkgs;
+
+buildPythonApplication rec {
+  pname = "setools";
+  version = "2017-11-10";
 
   src = fetchFromGitHub {
     owner = "TresysTechnology";
-    repo = "setools3";
-    rev = "f1e5b208d507171968ca4d2eeefd7980f1004a3c";
-    sha256 = "02gzy2kpszhr13f0d9qfiwh2hj4201g2x366j53v5n5qz481aykd";
+    repo = pname;
+    rev = "a1aa0f33f5c428d3f9fe82960ed5de36f38047f7";
+    sha256 = "0iyj35fff93cprjkzbkg9dn5xz8dg5h2kjx3476fl625nxxskndn";
   };
 
-  configureFlags = [
-    "--disable-gui"
-    "--with-sepol-devel=${libsepol}"
-    "--with-selinux-devel=${libselinux}"
-    "--with-tcl=${tcl}/lib"
-  ];
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ libsepol swig ];
+  propagatedBuildInputs = [ enum34 libselinux networkx ]
+    ++ optionals withGraphics [ pyqt5 ];
 
-  hardeningDisable = [ "format" ];
+  checkInputs = [ tox checkpolicy ];
+  preCheck = ''
+    export CHECKPOLICY=${checkpolicy}/bin/checkpolicy
+  '';
 
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
-  NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib";
+  setupPyBuildFlags = [ "-i" ];
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig python swig2 bison flex ];
-  buildInputs = [ tcl libxml2 sqlite bzip2 ];
+  preBuild = ''
+    export SEPOL="${libsepol}/lib/libsepol.a"
+  '';
 
   meta = {
     description = "SELinux Tools";
-    homepage = http://oss.tresys.com/projects/setools/;
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    homepage = https://github.com/TresysTechnology/setools/wiki;
+    license = licenses.gpl2;
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index d815203f845..43eb8331730 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -10,6 +10,7 @@
 , getent
 , hostPlatform
 , buildPackages
+, withSelinux ? false, libselinux
 }:
 
 assert stdenv.isLinux;
@@ -42,11 +43,14 @@ in stdenv.mkDerivation rec {
   buildInputs =
     [ linuxHeaders libcap kmod xz pam acl
       /* cryptsetup */ libuuid glib libgcrypt libgpgerror libidn2
-      libmicrohttpd kexectools libseccomp libffi audit lz4 bzip2 libapparmor
+      libmicrohttpd ] ++
+      stdenv.lib.meta.enableIfAvailable kexectools ++
+      stdenv.lib.meta.enableIfAvailable libseccomp ++
+    [ libffi audit lz4 bzip2 libapparmor
       iptables gnu-efi
       # This is actually native, but we already pull it from buildPackages
       pythonLxmlEnv
-    ];
+    ] ++ stdenv.lib.optionals withSelinux [ libselinux ];
 
   #dontAddPrefix = true;