Stephen Smalley wrote: > On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote: >> Hi, >> >> I tried to implement a libselinux wrapper for PHP script language >> several months ago. >> >> Now, I have a plan to propose the facility into official extensions >> of PHP community, called as PECL (PHP Extension Community Library), >> and Fedora project. >> >> Before that, I would like folks to check the list of supported APIs. >> >> * The list of APIs : PHP/SELinux binding >> http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux > > Sorry for not looking at this previously. Userspace folks, please take > a look before we are locked into an API for PHP scripts. > > I have no knowledge of PHP, so with that in mind: > > I take it that php doesn't namespace the functions by module name, > unlike python? And thus you felt the need to change the names of the > functions to use a selinux_ prefix? This article recommends any function names are prefixed by module name. * PHP Extension Writing http://talks.somabo.de/#20071012 http://talks.somabo.de/200710_extension_writing.pdf - Please see the page 27 (PHP Functions). > selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if > there is an error when trying to determine whether SELinux is in fact > enabled. So it either needs an int return value or you could have your > php wrapper test for that case internally and return false. Most C code > is using is_selinux_enabled() > 0 as the test for selinux-enabled. Oops, the current implementation can return 'true' on an error state. I'll fix it. > selinux_getcon() says that it returns false on error. So false is a > legal string value in PHP? And you don't mean the string "false", I > presume? So it can be used in a conditional with the expected effect? I belive we can discriminate between a legal string value and a bool one. This function is available to check either one is returned. http://jp.php.net/manual/en/function.is-string.php However, it is necessary to note that "false" is casted to empty string when we compare them without special care, like: $ php -r 'if ("" == false) echo "hello!\n";' hello! I'll confirm PHP developers whether we can consider "false" can be an error condition on functions which return string, or not. > selinux_getpidcon() takes an int pid in your interface vs pid_t in > libselinux. Is there no type defined for process identifiers in PHP? PHP does not have special purpose type. It seems to me they don't care about it. http://jp.php.net/manual/en/function.posix-getpid.php http://jp.php.net/manual/en/function.posix-kill.php > security classes can be unsigned integers or their own type. > access vectors can be unsigned integers, bitfields, or their own type. > Or we could only deal with security classes and access vectors as > strings and lists of strings respectively for PHP, and map them back and > forth to integers within the wrappers. I think it is good idea. You are saying such an interface, aren't you? selinux_compute_av("staff_t:staff_r:staff_t", "system_u:object_r:shadow_t", "file"); It returns an associative array which contains three subarray named as "allowed", "auditallow", "auditdeny". > matchpathcon is being deprecated in favor of the selabel* interfaces. OK, I'll consider to rewrite it using these interfaces. Thanks, >> NOTE: >> - All the "_raw" interfaces are omitted, because we can translate >> a human readable format into a system one later using >> string selinux_trans_to_raw_context(string $context). >> - All the AVC related interfaces are omitted, because I didn't >> assume PHP script works as a userspace object manager. >> >> * Step to build and installation >> % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux >> % cd php-selinux >> % ./build-php-selinux.sh >> : >> Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm >> Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm >> : >> % su >> # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm >> >> NOTE: >> - It requires "php-devel" and "libselinux-devel" are installed >> prior to ./build-php-selinux.sh >> - It requires "rpmbuild" works correctly. Please confirm your >> ~/.rpmmacros, if the script does not work correctly. >> >> * Example: >> % rpm -q php-selinux >> php-selinux-0.1626-beta.fc10.i386 >> % php -r 'echo selinux_getcon()."\n";' >> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle >> % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";' >> system_u:object_r:shadow_t >> % php -r '$tclass = selinux_string_to_class("file"); >> $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0", >> "system_u:object_r:etc_t:s0", >> $tclass); >> var_dump($avd);' >> array(5) { >> ["allowed"]=> >> int(139347) >> ["decided"]=> >> int(-1) >> ["auditallow"]=> >> int(0) >> ["auditdeny"]=> >> int(-17) >> ["seqno"]=> >> int(41) >> } >> >> Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
