Re: PHP/SELinux: libselinux wrappers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I tried to implement a libselinux wrapper for PHP script language
several months ago.

Now, I have a plan to propose the facility into official extensions
of PHP community, called as PECL (PHP Extension Community Library),
and Fedora project.

Before that, I would like folks to check the list of supported APIs.

* The list of APIs : PHP/SELinux binding
  http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux

  NOTE:
   - All the "_raw" interfaces are omitted, because we can translate
     a human readable format into a system one later using
       string selinux_trans_to_raw_context(string $context).
   - All the AVC related interfaces are omitted, because I didn't
     assume PHP script works as a userspace object manager.

* Step to build and installation
  % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
  % cd php-selinux
  % ./build-php-selinux.sh
         :
  Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm
  Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm
         :
  % su
  # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm

  NOTE:
   - It requires "php-devel" and "libselinux-devel" are installed
     prior to ./build-php-selinux.sh
   - It requires "rpmbuild" works correctly. Please confirm your
     ~/.rpmmacros, if the script does not work correctly.

* Example:
  % rpm -q php-selinux
  php-selinux-0.1626-beta.fc10.i386
  % php -r 'echo selinux_getcon()."\n";'
  unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle
  % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";'
  system_u:object_r:shadow_t
  % php -r '$tclass = selinux_string_to_class("file");
            $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0",
                                      "system_u:object_r:etc_t:s0",
                                      $tclass);
            var_dump($avd);'
  array(5) {
    ["allowed"]=>
    int(139347)
    ["decided"]=>
    int(-1)
    ["auditallow"]=>
    int(0)
    ["auditdeny"]=>
    int(-17)
    ["seqno"]=>
    int(41)
  }

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux