On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote: > Hi, > > I tried to implement a libselinux wrapper for PHP script language > several months ago. > > Now, I have a plan to propose the facility into official extensions > of PHP community, called as PECL (PHP Extension Community Library), > and Fedora project. > > Before that, I would like folks to check the list of supported APIs. > > * The list of APIs : PHP/SELinux binding > http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux Sorry for not looking at this previously. Userspace folks, please take a look before we are locked into an API for PHP scripts. I have no knowledge of PHP, so with that in mind: I take it that php doesn't namespace the functions by module name, unlike python? And thus you felt the need to change the names of the functions to use a selinux_ prefix? selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if there is an error when trying to determine whether SELinux is in fact enabled. So it either needs an int return value or you could have your php wrapper test for that case internally and return false. Most C code is using is_selinux_enabled() > 0 as the test for selinux-enabled. selinux_getcon() says that it returns false on error. So false is a legal string value in PHP? And you don't mean the string "false", I presume? So it can be used in a conditional with the expected effect? selinux_getpidcon() takes an int pid in your interface vs pid_t in libselinux. Is there no type defined for process identifiers in PHP? security classes can be unsigned integers or their own type. access vectors can be unsigned integers, bitfields, or their own type. Or we could only deal with security classes and access vectors as strings and lists of strings respectively for PHP, and map them back and forth to integers within the wrappers. matchpathcon is being deprecated in favor of the selabel* interfaces. > NOTE: > - All the "_raw" interfaces are omitted, because we can translate > a human readable format into a system one later using > string selinux_trans_to_raw_context(string $context). > - All the AVC related interfaces are omitted, because I didn't > assume PHP script works as a userspace object manager. > > * Step to build and installation > % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux > % cd php-selinux > % ./build-php-selinux.sh > : > Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm > Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm > : > % su > # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm > > NOTE: > - It requires "php-devel" and "libselinux-devel" are installed > prior to ./build-php-selinux.sh > - It requires "rpmbuild" works correctly. Please confirm your > ~/.rpmmacros, if the script does not work correctly. > > * Example: > % rpm -q php-selinux > php-selinux-0.1626-beta.fc10.i386 > % php -r 'echo selinux_getcon()."\n";' > unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle > % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";' > system_u:object_r:shadow_t > % php -r '$tclass = selinux_string_to_class("file"); > $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0", > "system_u:object_r:etc_t:s0", > $tclass); > var_dump($avd);' > array(5) { > ["allowed"]=> > int(139347) > ["decided"]=> > int(-1) > ["auditallow"]=> > int(0) > ["auditdeny"]=> > int(-17) > ["seqno"]=> > int(41) > } > > Thanks, -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.