Today, I updated the PHP/SELinux package as follows: http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux http://code.google.com/p/sepgsql/source/browse/misc/php-selinux/ - bugfix: selinux_is_enabled() and selinux_mls_is_enabled() returned TRUE on errors. - cleanup: remove redundant length == 0 checks - upgrade: selinux_compute_av(), selinux_compute_create(), selinux_compute_relabel() and selinux_compute_member() accept $tclass described in text form, such as "file". - upgrade: selinux_compute_av() returns a set of associative arrays which contain true or false for each permissions. - The following functions are added: - selinux_file_label_lookup() - selinux_media_label_lookup() NOTE: Is the selinux_x_label_lookup() necessary? - The following functions are removed: - selinux_string_to_class() - selinux_class_to_string() - selinux_string_to_av_perm() - selinux_av_perm_to_string() - selinux_av_string() - selinux_matchpathcon() - selinux_lsetfilecon_default() TODO: - Move them into PECL repository. (http://pecl.php.net/) - Make a request to merge this package into Fedora project. (libselinux-php? php-selinux?) - Describe reference manual based on PHP community's manner (http://jp.php.net/manual/en/index.php) Thanks, KaiGai Kohei wrote: > KaiGai Kohei wrote: >>> selinux_getcon() says that it returns false on error. So false is a >>> legal string value in PHP? And you don't mean the string "false", I >>> presume? So it can be used in a conditional with the expected effect? >> I belive we can discriminate between a legal string value and a bool one. >> This function is available to check either one is returned. >> http://jp.php.net/manual/en/function.is-string.php >> >> However, it is necessary to note that "false" is casted to empty string >> when we compare them without special care, like: >> >> $ php -r 'if ("" == false) >> echo "hello!\n";' >> hello! >> >> I'll confirm PHP developers whether we can consider "false" can be >> an error condition on functions which return string, or not. > > I was suggested to use "===" operator in the PHP list. > It requires both of left and right side have same type and value, > so we can discriminate between legal strings (including empty one) > and error status. > > http://jp.php.net/manual/en/language.operators.comparison.php > >>> security classes can be unsigned integers or their own type. >>> access vectors can be unsigned integers, bitfields, or their own type. >>> Or we could only deal with security classes and access vectors as >>> strings and lists of strings respectively for PHP, and map them back and >>> forth to integers within the wrappers. >> I think it is good idea. >> >> You are saying such an interface, aren't you? >> >> selinux_compute_av("staff_t:staff_r:staff_t", >> "system_u:object_r:shadow_t", >> "file"); >> It returns an associative array which contains three subarray >> named as "allowed", "auditallow", "auditdeny". > > I tried to implement the revised one. > > We can check its result like: > $avd = selinux_compute_av(...); > $allowed = $avd["allowed"]; > if ($allowed["read"] && $allowed["getattr"]) > echo "Readable!\n"; > > ------ > $ php -r '$scontext = "staff_u:staff_r:staff_t"; > $tcontext="system_u:object_r:etc_t"; > $avd = selinux_compute_av($scontext, $tcontext, "file"); > var_dump($avd["allowed"]);' > array(21) { > ["ioctl"]=> > bool(true) > ["read"]=> > bool(true) > ["write"]=> > bool(false) > ["create"]=> > bool(false) > ["getattr"]=> > bool(true) > ["setattr"]=> > bool(false) > ["lock"]=> > bool(true) > ["relabelfrom"]=> > bool(false) > ["relabelto"]=> > bool(false) > ["append"]=> > bool(false) > ["unlink"]=> > bool(false) > ["link"]=> > bool(false) > ["rename"]=> > bool(false) > ["execute"]=> > bool(true) > ["swapon"]=> > bool(false) > ["quotaon"]=> > bool(false) > ["mounton"]=> > bool(false) > ["execute_no_trans"]=> > bool(true) > ["entrypoint"]=> > bool(false) > ["execmod"]=> > bool(false) > ["open"]=> > bool(false) > } > -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
