-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Smalley wrote: > On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote: >> Hi, >> >> I tried to implement a libselinux wrapper for PHP script language >> several months ago. >> >> Now, I have a plan to propose the facility into official extensions >> of PHP community, called as PECL (PHP Extension Community Library), >> and Fedora project. >> >> Before that, I would like folks to check the list of supported APIs. >> >> * The list of APIs : PHP/SELinux binding >> http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux > > Sorry for not looking at this previously. Userspace folks, please take > a look before we are locked into an API for PHP scripts. > > I have no knowledge of PHP, so with that in mind: > > I take it that php doesn't namespace the functions by module name, > unlike python? And thus you felt the need to change the names of the > functions to use a selinux_ prefix? > > selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if > there is an error when trying to determine whether SELinux is in fact > enabled. So it either needs an int return value or you could have your > php wrapper test for that case internally and return false. Most C code > is using is_selinux_enabled() > 0 as the test for selinux-enabled. > > selinux_getcon() says that it returns false on error. So false is a > legal string value in PHP? And you don't mean the string "false", I > presume? So it can be used in a conditional with the expected effect? > > selinux_getpidcon() takes an int pid in your interface vs pid_t in > libselinux. Is there no type defined for process identifiers in PHP? > > security classes can be unsigned integers or their own type. > access vectors can be unsigned integers, bitfields, or their own type. > Or we could only deal with security classes and access vectors as > strings and lists of strings respectively for PHP, and map them back and > forth to integers within the wrappers. > > matchpathcon is being deprecated in favor of the selabel* interfaces. > >> NOTE: >> - All the "_raw" interfaces are omitted, because we can translate >> a human readable format into a system one later using >> string selinux_trans_to_raw_context(string $context). >> - All the AVC related interfaces are omitted, because I didn't >> assume PHP script works as a userspace object manager. >> >> * Step to build and installation >> % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux >> % cd php-selinux >> % ./build-php-selinux.sh >> : >> Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm >> Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm >> : >> % su >> # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm >> >> NOTE: >> - It requires "php-devel" and "libselinux-devel" are installed >> prior to ./build-php-selinux.sh >> - It requires "rpmbuild" works correctly. Please confirm your >> ~/.rpmmacros, if the script does not work correctly. >> >> * Example: >> % rpm -q php-selinux >> php-selinux-0.1626-beta.fc10.i386 >> % php -r 'echo selinux_getcon()."\n";' >> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle >> % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";' >> system_u:object_r:shadow_t >> % php -r '$tclass = selinux_string_to_class("file"); >> $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0", >> "system_u:object_r:etc_t:s0", >> $tclass); >> var_dump($avd);' >> array(5) { >> ["allowed"]=> >> int(139347) >> ["decided"]=> >> int(-1) >> ["auditallow"]=> >> int(0) >> ["auditdeny"]=> >> int(-17) >> ["seqno"]=> >> int(41) >> } >> >> Thanks, I would rather package this up as part of libselinux, perhaps libselinux-php, rather then make a new package. I have had requests for a libsemanage-ruby if anyone wants to delve into it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmmreIACgkQrlYvE4MpobPevwCgqlI2Cterk8wGrpzZBiEmEDVi TPkAoOmuVT5O1W/R59pLGCU8XfgLwd8Z =ONgB -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
