diff --git a/pkgs/os-specific/linux/checkpolicy/default.nix b/pkgs/os-specific/linux/checkpolicy/default.nix
index d4ae82528f18..9fbed50f3b9a 100644
--- a/pkgs/os-specific/linux/checkpolicy/default.nix
+++ b/pkgs/os-specific/linux/checkpolicy/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ bison flex ];
   buildInputs = [ libsepol ];
 
+  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
+
   # Don't build tests
   postPatch = ''
     sed -i '/-C test/d' Makefile
diff --git a/pkgs/os-specific/linux/libselinux/default.nix b/pkgs/os-specific/linux/libselinux/default.nix
index 69e5fa856e36..d3279780c7cd 100644
--- a/pkgs/os-specific/linux/libselinux/default.nix
+++ b/pkgs/os-specific/linux/libselinux/default.nix
@@ -19,12 +19,12 @@ stdenv.mkDerivation rec {
   buildInputs = [ pkgconfig libsepol pcre ]
              ++ optionals enablePython [ swig python ];
 
+  NIX_CFLAGS_COMPILE = "-fstack-protector-all -std=gnu89";
+
   postPatch = optionalString enablePython ''
     sed -i -e 's|\$(LIBDIR)/libsepol.a|${libsepol}/lib/libsepol.a|' src/Makefile
   '';
 
-  NIX_CFLAGS_COMPILE = "-std=gnu89";
-
   preBuild = ''
     # Build fails without this precreated
     mkdir -p $out/include
diff --git a/pkgs/os-specific/linux/libsemanage/default.nix b/pkgs/os-specific/linux/libsemanage/default.nix
index fd94fc6b094c..c60d96bba784 100644
--- a/pkgs/os-specific/linux/libsemanage/default.nix
+++ b/pkgs/os-specific/linux/libsemanage/default.nix
@@ -13,13 +13,13 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ bison flex ];
   buildInputs = [ libsepol libselinux ustr bzip2 libaudit ];
 
+  NIX_CFLAGS_COMPILE = "-fstack-protector-all -std=gnu89";
+
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")
   '';
 
-  NIX_CFLAGS_COMPILE = "-fstack-protector-all -std=gnu89";
-
   meta = libsepol.meta // {
     description = "Policy management tools for SELinux";
     license = stdenv.lib.licenses.lgpl21;
diff --git a/pkgs/os-specific/linux/libsepol/default.nix b/pkgs/os-specific/linux/libsepol/default.nix
index 0417bf59cfa3..ecbb2a0ec464 100644
--- a/pkgs/os-specific/linux/libsepol/default.nix
+++ b/pkgs/os-specific/linux/libsepol/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ flex ];
 
+  NIX_CFLAGS_COMPILE = "-fstack-protector-all";
+
   preBuild = ''
     makeFlagsArray+=("PREFIX=$out")
     makeFlagsArray+=("DESTDIR=$out")