PHP/SELinux: libselinux wrappers

PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Hi,

I tried to implement libselinux wrappers for PHP.

It requires the following steps to build.

 $ svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
 $ cd php-selinux
 $ ./build-php-selinux.sh  /tmp/php-5.2.6-4.src.rpm

 (*) You have to get the source rpm package from somewhere.

It is a conceptual implementation earlier than submitting
to PHP developer's community.

Please comment anything, if you have.
I have a plan to submit it to them with some more works like
documentation, test cases.

Thanks,

---------------------------------
  Already implemented functions
---------------------------------
selinux_is_enabled
selinux_mls_is_enabled
/*
 * /proc/<PID>/attr functions
 */
selinux_getcon
selinux_getcon_raw
selinux_setcon
selinux_setcon_raw
selinux_getpidcon
selinux_getpidcon_raw
selinux_getprevcon
selinux_getprevcon_raw
selinux_getexeccon
selinux_getexeccon_raw
selinux_setexeccon
selinux_setexeccon_raw
selinux_getfscreatecon
selinux_getfscreatecon_raw
selinux_setfscreatecon
selinux_setfscreatecon_raw
selinux_getkeycreatecon
selinux_getkeycreatecon_raw
selinux_setkeycreatecon
selinux_setkeycreatecon_raw
selinux_getsockcreatecon
selinux_getsockcreatecon_raw
selinux_setsockcreatecon
selinux_setsockcreatecon_raw

/*
 * Get file context
 */
selinux_getfilecon
selinux_getfilecon_raw
selinux_lgetfilecon
selinux_lgetfilecon_raw
selinux_fgetfilecon
selinux_fgetfilecon_raw

/*
 * Set file context
 */
selinux_setfilecon
selinux_setfilecon_raw
selinux_lsetfilecon
selinux_lsetfilecon_raw
selinux_fsetfilecon
selinux_fsetfilecon_raw

/*
 * Labeled Networking
 */
selinux_getpeercon
selinux_getpeercon_raw

/*
 * get initial context
 */
selinux_get_initial_context
selinux_get_initial_context_raw

/*
 * sanity check in security context
 */
selinux_check_context
selinux_check_context_raw
selinux_canonicalize_context
selinux_canonicalize_context_raw

/*
 * global setting related
 */
selinux_getenforce
selinux_setenforce
selinux_policyvers

/*
 * booleans
 */
selinux_get_boolean_names
selinux_get_boolean_pending
selinux_get_boolean_active
selinux_set_boolean
selinux_commit_booleans

/*
 * mcstrans
 */
selinux_trans_to_raw_context
selinux_raw_to_trans_context

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

I wrote the list of PHP/SELinux APIs:
  http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux

Does anyone be possible to check the specification of them
before submitting it to PHP developer's list?

Thanks,

KaiGai Kohei wrote:
> Hi,
> 
> I tried to implement libselinux wrappers for PHP.
> 
> It requires the following steps to build.
> 
>  $ svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
>  $ cd php-selinux
>  $ ./build-php-selinux.sh  /tmp/php-5.2.6-4.src.rpm
> 
>  (*) You have to get the source rpm package from somewhere.
> 
> It is a conceptual implementation earlier than submitting
> to PHP developer's community.
> 
> Please comment anything, if you have.
> I have a plan to submit it to them with some more works like
> documentation, test cases.
> 
> Thanks,

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Hi,

I tried to implement a libselinux wrapper for PHP script language
several months ago.

Now, I have a plan to propose the facility into official extensions
of PHP community, called as PECL (PHP Extension Community Library),
and Fedora project.

Before that, I would like folks to check the list of supported APIs.

* The list of APIs : PHP/SELinux binding
  http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux

  NOTE:
   - All the "_raw" interfaces are omitted, because we can translate
     a human readable format into a system one later using
       string selinux_trans_to_raw_context(string $context).
   - All the AVC related interfaces are omitted, because I didn't
     assume PHP script works as a userspace object manager.

* Step to build and installation
  % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
  % cd php-selinux
  % ./build-php-selinux.sh
         :
  Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm
  Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm
         :
  % su
  # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm

  NOTE:
   - It requires "php-devel" and "libselinux-devel" are installed
     prior to ./build-php-selinux.sh
   - It requires "rpmbuild" works correctly. Please confirm your
     ~/.rpmmacros, if the script does not work correctly.

* Example:
  % rpm -q php-selinux
  php-selinux-0.1626-beta.fc10.i386
  % php -r 'echo selinux_getcon()."\n";'
  unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle
  % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";'
  system_u:object_r:shadow_t
  % php -r '$tclass = selinux_string_to_class("file");
            $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0",
                                      "system_u:object_r:etc_t:s0",
                                      $tclass);
            var_dump($avd);'
  array(5) {
    ["allowed"]=>
    int(139347)
    ["decided"]=>
    int(-1)
    ["auditallow"]=>
    int(0)
    ["auditdeny"]=>
    int(-17)
    ["seqno"]=>
    int(41)
  }

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[Stephen Smalley]

On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote:
> Hi,
> 
> I tried to implement a libselinux wrapper for PHP script language
> several months ago.
> 
> Now, I have a plan to propose the facility into official extensions
> of PHP community, called as PECL (PHP Extension Community Library),
> and Fedora project.
> 
> Before that, I would like folks to check the list of supported APIs.
> 
> * The list of APIs : PHP/SELinux binding
>   http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux

Sorry for not looking at this previously.  Userspace folks, please take
a look before we are locked into an API for PHP scripts.

I have no knowledge of PHP, so with that in mind:

I take it that php doesn't namespace the functions by module name,
unlike python?  And thus you felt the need to change the names of the
functions to use a selinux_ prefix?

selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if
there is an error when trying to determine whether SELinux is in fact
enabled.  So it either needs an int return value or you could have your
php wrapper test for that case internally and return false.  Most C code
is using is_selinux_enabled() > 0 as the test for selinux-enabled.

selinux_getcon() says that it returns false on error.  So false is a
legal string value in PHP?  And you don't mean the string "false", I
presume?  So it can be used in a conditional with the expected effect?

selinux_getpidcon() takes an int pid in your interface vs pid_t in
libselinux.  Is there no type defined for process identifiers in PHP?

security classes can be unsigned integers or their own type.
access vectors can be unsigned integers, bitfields, or their own type.
Or we could only deal with security classes and access vectors as
strings and lists of strings respectively for PHP, and map them back and
forth to integers within the wrappers.

matchpathcon is being deprecated in favor of the selabel* interfaces.

>   NOTE:
>    - All the "_raw" interfaces are omitted, because we can translate
>      a human readable format into a system one later using
>        string selinux_trans_to_raw_context(string $context).
>    - All the AVC related interfaces are omitted, because I didn't
>      assume PHP script works as a userspace object manager.
> 
> * Step to build and installation
>   % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
>   % cd php-selinux
>   % ./build-php-selinux.sh
>          :
>   Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm
>   Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm
>          :
>   % su
>   # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm
> 
>   NOTE:
>    - It requires "php-devel" and "libselinux-devel" are installed
>      prior to ./build-php-selinux.sh
>    - It requires "rpmbuild" works correctly. Please confirm your
>      ~/.rpmmacros, if the script does not work correctly.
> 
> * Example:
>   % rpm -q php-selinux
>   php-selinux-0.1626-beta.fc10.i386
>   % php -r 'echo selinux_getcon()."\n";'
>   unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle
>   % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";'
>   system_u:object_r:shadow_t
>   % php -r '$tclass = selinux_string_to_class("file");
>             $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0",
>                                       "system_u:object_r:etc_t:s0",
>                                       $tclass);
>             var_dump($avd);'
>   array(5) {
>     ["allowed"]=>
>     int(139347)
>     ["decided"]=>
>     int(-1)
>     ["auditallow"]=>
>     int(0)
>     ["auditdeny"]=>
>     int(-17)
>     ["seqno"]=>
>     int(41)
>   }
> 
> Thanks,
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote:
>> Hi,
>>
>> I tried to implement a libselinux wrapper for PHP script language
>> several months ago.
>>
>> Now, I have a plan to propose the facility into official extensions
>> of PHP community, called as PECL (PHP Extension Community Library),
>> and Fedora project.
>>
>> Before that, I would like folks to check the list of supported APIs.
>>
>> * The list of APIs : PHP/SELinux binding
>>   http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux
> 
> Sorry for not looking at this previously.  Userspace folks, please take
> a look before we are locked into an API for PHP scripts.
> 
> I have no knowledge of PHP, so with that in mind:
> 
> I take it that php doesn't namespace the functions by module name,
> unlike python?  And thus you felt the need to change the names of the
> functions to use a selinux_ prefix?
> 
> selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if
> there is an error when trying to determine whether SELinux is in fact
> enabled.  So it either needs an int return value or you could have your
> php wrapper test for that case internally and return false.  Most C code
> is using is_selinux_enabled() > 0 as the test for selinux-enabled.
> 
> selinux_getcon() says that it returns false on error.  So false is a
> legal string value in PHP?  And you don't mean the string "false", I
> presume?  So it can be used in a conditional with the expected effect?
> 
> selinux_getpidcon() takes an int pid in your interface vs pid_t in
> libselinux.  Is there no type defined for process identifiers in PHP?
> 
> security classes can be unsigned integers or their own type.
> access vectors can be unsigned integers, bitfields, or their own type.
> Or we could only deal with security classes and access vectors as
> strings and lists of strings respectively for PHP, and map them back and
> forth to integers within the wrappers.
> 
> matchpathcon is being deprecated in favor of the selabel* interfaces.
> 
>>   NOTE:
>>    - All the "_raw" interfaces are omitted, because we can translate
>>      a human readable format into a system one later using
>>        string selinux_trans_to_raw_context(string $context).
>>    - All the AVC related interfaces are omitted, because I didn't
>>      assume PHP script works as a userspace object manager.
>>
>> * Step to build and installation
>>   % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
>>   % cd php-selinux
>>   % ./build-php-selinux.sh
>>          :
>>   Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm
>>   Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm
>>          :
>>   % su
>>   # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm
>>
>>   NOTE:
>>    - It requires "php-devel" and "libselinux-devel" are installed
>>      prior to ./build-php-selinux.sh
>>    - It requires "rpmbuild" works correctly. Please confirm your
>>      ~/.rpmmacros, if the script does not work correctly.
>>
>> * Example:
>>   % rpm -q php-selinux
>>   php-selinux-0.1626-beta.fc10.i386
>>   % php -r 'echo selinux_getcon()."\n";'
>>   unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle
>>   % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";'
>>   system_u:object_r:shadow_t
>>   % php -r '$tclass = selinux_string_to_class("file");
>>             $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0",
>>                                       "system_u:object_r:etc_t:s0",
>>                                       $tclass);
>>             var_dump($avd);'
>>   array(5) {
>>     ["allowed"]=>
>>     int(139347)
>>     ["decided"]=>
>>     int(-1)
>>     ["auditallow"]=>
>>     int(0)
>>     ["auditdeny"]=>
>>     int(-17)
>>     ["seqno"]=>
>>     int(41)
>>   }
>>
>> Thanks,
I would rather package this up as part of libselinux, perhaps
libselinux-php, rather then make a new package.

I have had requests for a libsemanage-ruby if anyone wants to delve into it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmmreIACgkQrlYvE4MpobPevwCgqlI2Cterk8wGrpzZBiEmEDVi
TPkAoOmuVT5O1W/R59pLGCU8XfgLwd8Z
=ONgB
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: PHP/SELinux: libselinux wrappers

[Joshua Brindle]

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>
> I would rather package this up as part of libselinux, perhaps
> libselinux-php, rather then make a new package.

The last time I used PHP (admittedly years ago) most if not all bindings
were included in the upstream PHP distribution.

> 
> I have had requests for a libsemanage-ruby if anyone wants to delve
into
> it.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Joshua Brindle wrote:
>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>>
>> I would rather package this up as part of libselinux, perhaps
>> libselinux-php, rather then make a new package.
> 
> The last time I used PHP (admittedly years ago) most if not all bindings
> were included in the upstream PHP distribution.

At least, most of PHP extensions has php-* naming convension, like:
   php-mysql, php-mbstring, php-ldap, ...

Most of major extensions are distributed as subpackages of php itself,
but some of extensions are not distributed as separated package.
(Please find php-* on the list of Fedora SRPMs.)

I don't think we need to wait for it get merged into the core PHP,
to release php-selinux package.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

KaiGai Kohei wrote:
> Joshua Brindle wrote:
>>> -----Original Message-----
>>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>>>
>>> I would rather package this up as part of libselinux, perhaps
>>> libselinux-php, rather then make a new package.
>>
>> The last time I used PHP (admittedly years ago) most if not all bindings
>> were included in the upstream PHP distribution.
> 
> At least, most of PHP extensions has php-* naming convension, like:
>   php-mysql, php-mbstring, php-ldap, ...
> 
> Most of major extensions are distributed as subpackages of php itself,
> but some of extensions are not distributed as separated package.
> (Please find php-* on the list of Fedora SRPMs.)
> 
> I don't think we need to wait for it get merged into the core PHP,
> to release php-selinux package.
> 
> Thanks,
Ok then fine leave it as a separate package.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmoOkEACgkQrlYvE4MpobNNlQCeJ5g1p/1Kt5dmbV/9Zv6J21kK
v3gAoNUFJHabexiVCCVDch/cEooK9s1W
=Nxx7
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Now it in PECL repository:
   http://pecl.php.net/package/selinux
   http://cvs.php.net/viewvc.cgi/pecl/selinux/

The php-pecl-selinux package is under review-requesting:
   https://bugzilla.redhat.com/show_bug.cgi?id=488185

It is necessary the package to be reviewed whether the specfile
correctly follows Fedora packaging guideline [1] [2], or not.
I would like folks to help reviewing it.

In addition, Fedora Project requires all the new packages
to be approved by core maintainers called as "sponsor" [3].

Could you introduce me an appropriate person to recommend
the package?

Thanks,

[1] http://fedoraproject.org/wiki/Packaging/Guidelines
[2] http://fedoraproject.org/wiki/Packaging/PHP
[3] https://admin.fedoraproject.org/accounts/group/members/packager/*/sponsor

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> KaiGai Kohei wrote:
>> Joshua Brindle wrote:
>>>> -----Original Message-----
>>>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>>>>
>>>> I would rather package this up as part of libselinux, perhaps
>>>> libselinux-php, rather then make a new package.
>>> The last time I used PHP (admittedly years ago) most if not all bindings
>>> were included in the upstream PHP distribution.
>> At least, most of PHP extensions has php-* naming convension, like:
>>   php-mysql, php-mbstring, php-ldap, ...
>>
>> Most of major extensions are distributed as subpackages of php itself,
>> but some of extensions are not distributed as separated package.
>> (Please find php-* on the list of Fedora SRPMs.)
>>
>> I don't think we need to wait for it get merged into the core PHP,
>> to release php-selinux package.
>>
>> Thanks,
> Ok then fine leave it as a separate package.

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Hi,

http://koji.fedoraproject.org/koji/packageinfo?packageID=7917

Now the "php-pecl-selinux" package got approved in Fedora Project.
Some days later, it will be delivered to mirrors.

KaiGai Kohei wrote:
 > Now it in PECL repository:
 >   http://pecl.php.net/package/selinux
 >   http://cvs.php.net/viewvc.cgi/pecl/selinux/

BTW, I still mark its state as "devel". It means we have a possibility
to change APIs. If you found anything to be improved, please tell me.


The following example is just a toy, which implements
Paul's "getpeercon_server.c" example in PHP.
--------------
#!/usr/bin/php -q
<?
if (count($argv) < 2) {
     echo "usage: ".$argv[0]." <port>\n";
     return 1;
}

$conn_url = sprintf("tcp://0.0.0.0:%u", $argv[1]);
$server = stream_socket_server($conn_url, $errno, $errmsg);
if (!$server) {
     echo "error: $errmsg ($errno)\n";
     return 1;
}

while (($client = stream_socket_accept($server))) {
     $ipaddr = stream_socket_get_name($client, true);
     $peercon = selinux_getpeercon($client);
     printf("connect %s => %s\n", $ipaddr, !$peercon ? "null" : $peercon);
     fclose($client);
}
fclose($server);
?>
--------------

   [kaigai@saba ~]$ ./peersock.php 1234
   connect 10.19.71.82:4643 => user_u:user_r:user_t:s0
   connect 127.0.0.1:36277 => staff_u:staff_r:staff_t:s0
   connect 10.19.71.81:48902 => null

I guess it also can be used for education purpose because it enables
to observe the behavior of SELinux with quick try-and-error steps. :-)

Thanks,

> It is necessary the package to be reviewed whether the specfile
> correctly follows Fedora packaging guideline [1] [2], or not.
> I would like folks to help reviewing it.
> 
> In addition, Fedora Project requires all the new packages
> to be approved by core maintainers called as "sponsor" [3].
> 
> Could you introduce me an appropriate person to recommend
> the package?
> 
> Thanks,
> 
> [1] http://fedoraproject.org/wiki/Packaging/Guidelines
> [2] http://fedoraproject.org/wiki/Packaging/PHP
> [3] 
> https://admin.fedoraproject.org/accounts/group/members/packager/*/sponsor
> 
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> KaiGai Kohei wrote:
>>> Joshua Brindle wrote:
>>>>> -----Original Message-----
>>>>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>>>>>
>>>>> I would rather package this up as part of libselinux, perhaps
>>>>> libselinux-php, rather then make a new package.
>>>> The last time I used PHP (admittedly years ago) most if not all 
>>>> bindings
>>>> were included in the upstream PHP distribution.
>>> At least, most of PHP extensions has php-* naming convension, like:
>>>   php-mysql, php-mbstring, php-ldap, ...
>>>
>>> Most of major extensions are distributed as subpackages of php itself,
>>> but some of extensions are not distributed as separated package.
>>> (Please find php-* on the list of Fedora SRPMs.)
>>>
>>> I don't think we need to wait for it get merged into the core PHP,
>>> to release php-selinux package.
>>>
>>> Thanks,
>> Ok then fine leave it as a separate package.
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephen Smalley wrote:
>> On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote:
>>> Hi,
>>>
>>> I tried to implement a libselinux wrapper for PHP script language
>>> several months ago.
>>>
>>> Now, I have a plan to propose the facility into official extensions
>>> of PHP community, called as PECL (PHP Extension Community Library),
>>> and Fedora project.
>>>
>>> Before that, I would like folks to check the list of supported APIs.
>>>
>>> * The list of APIs : PHP/SELinux binding
>>>   http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux
>> Sorry for not looking at this previously.  Userspace folks, please take
>> a look before we are locked into an API for PHP scripts.
>>
>> I have no knowledge of PHP, so with that in mind:
>>
>> I take it that php doesn't namespace the functions by module name,
>> unlike python?  And thus you felt the need to change the names of the
>> functions to use a selinux_ prefix?
>>
>> selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if
>> there is an error when trying to determine whether SELinux is in fact
>> enabled.  So it either needs an int return value or you could have your
>> php wrapper test for that case internally and return false.  Most C code
>> is using is_selinux_enabled() > 0 as the test for selinux-enabled.
>>
>> selinux_getcon() says that it returns false on error.  So false is a
>> legal string value in PHP?  And you don't mean the string "false", I
>> presume?  So it can be used in a conditional with the expected effect?
>>
>> selinux_getpidcon() takes an int pid in your interface vs pid_t in
>> libselinux.  Is there no type defined for process identifiers in PHP?
>>
>> security classes can be unsigned integers or their own type.
>> access vectors can be unsigned integers, bitfields, or their own type.
>> Or we could only deal with security classes and access vectors as
>> strings and lists of strings respectively for PHP, and map them back and
>> forth to integers within the wrappers.
>>
>> matchpathcon is being deprecated in favor of the selabel* interfaces.
>>
>>>   NOTE:
>>>    - All the "_raw" interfaces are omitted, because we can translate
>>>      a human readable format into a system one later using
>>>        string selinux_trans_to_raw_context(string $context).
>>>    - All the AVC related interfaces are omitted, because I didn't
>>>      assume PHP script works as a userspace object manager.
>>>
>>> * Step to build and installation
>>>   % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
>>>   % cd php-selinux
>>>   % ./build-php-selinux.sh
>>>          :
>>>   Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm
>>>   Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm
>>>          :
>>>   % su
>>>   # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm
>>>
>>>   NOTE:
>>>    - It requires "php-devel" and "libselinux-devel" are installed
>>>      prior to ./build-php-selinux.sh
>>>    - It requires "rpmbuild" works correctly. Please confirm your
>>>      ~/.rpmmacros, if the script does not work correctly.
>>>
>>> * Example:
>>>   % rpm -q php-selinux
>>>   php-selinux-0.1626-beta.fc10.i386
>>>   % php -r 'echo selinux_getcon()."\n";'
>>>   unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle
>>>   % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";'
>>>   system_u:object_r:shadow_t
>>>   % php -r '$tclass = selinux_string_to_class("file");
>>>             $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0",
>>>                                       "system_u:object_r:etc_t:s0",
>>>                                       $tclass);
>>>             var_dump($avd);'
>>>   array(5) {
>>>     ["allowed"]=>
>>>     int(139347)
>>>     ["decided"]=>
>>>     int(-1)
>>>     ["auditallow"]=>
>>>     int(0)
>>>     ["auditdeny"]=>
>>>     int(-17)
>>>     ["seqno"]=>
>>>     int(41)
>>>   }
>>>
>>> Thanks,
> I would rather package this up as part of libselinux, perhaps
> libselinux-php, rather then make a new package.
> 
> I have had requests for a libsemanage-ruby if anyone wants to delve into it.

Is it possible to pack two modules with different licenses into one
package? Any PELC modules are required to be licensed by PHP license.

It is considered as LGPL compatible, but I'm not a lawyer.
   http://www.php.net/license/3_01.txt

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Stephen Smalley wrote:
> On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote:
>> Hi,
>>
>> I tried to implement a libselinux wrapper for PHP script language
>> several months ago.
>>
>> Now, I have a plan to propose the facility into official extensions
>> of PHP community, called as PECL (PHP Extension Community Library),
>> and Fedora project.
>>
>> Before that, I would like folks to check the list of supported APIs.
>>
>> * The list of APIs : PHP/SELinux binding
>>   http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux
> 
> Sorry for not looking at this previously.  Userspace folks, please take
> a look before we are locked into an API for PHP scripts.
> 
> I have no knowledge of PHP, so with that in mind:
> 
> I take it that php doesn't namespace the functions by module name,
> unlike python?  And thus you felt the need to change the names of the
> functions to use a selinux_ prefix?

This article recommends any function names are prefixed by module name.

 * PHP Extension Writing
   http://talks.somabo.de/#20071012
   http://talks.somabo.de/200710_extension_writing.pdf
   - Please see the page 27 (PHP Functions).

> selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if
> there is an error when trying to determine whether SELinux is in fact
> enabled.  So it either needs an int return value or you could have your
> php wrapper test for that case internally and return false.  Most C code
> is using is_selinux_enabled() > 0 as the test for selinux-enabled.

Oops, the current implementation can return 'true' on an error state.
I'll fix it.

> selinux_getcon() says that it returns false on error.  So false is a
> legal string value in PHP?  And you don't mean the string "false", I
> presume?  So it can be used in a conditional with the expected effect?

I belive we can discriminate between a legal string value and a bool one.
This function is available to check either one is returned.
  http://jp.php.net/manual/en/function.is-string.php

However, it is necessary to note that "false" is casted to empty string
when we compare them without special care, like:

  $ php -r 'if ("" == false)
                echo "hello!\n";'
  hello!

I'll confirm PHP developers whether we can consider "false" can be
an error condition on functions which return string, or not.

> selinux_getpidcon() takes an int pid in your interface vs pid_t in
> libselinux.  Is there no type defined for process identifiers in PHP?

PHP does not have special purpose type.
It seems to me they don't care about it.
  http://jp.php.net/manual/en/function.posix-getpid.php
  http://jp.php.net/manual/en/function.posix-kill.php

> security classes can be unsigned integers or their own type.
> access vectors can be unsigned integers, bitfields, or their own type.
> Or we could only deal with security classes and access vectors as
> strings and lists of strings respectively for PHP, and map them back and
> forth to integers within the wrappers.

I think it is good idea.

You are saying such an interface, aren't you?

  selinux_compute_av("staff_t:staff_r:staff_t",
                     "system_u:object_r:shadow_t",
                     "file");
  It returns an associative array which contains three subarray
  named as "allowed", "auditallow", "auditdeny".

> matchpathcon is being deprecated in favor of the selabel* interfaces.

OK, I'll consider to rewrite it using these interfaces.

Thanks,

>>   NOTE:
>>    - All the "_raw" interfaces are omitted, because we can translate
>>      a human readable format into a system one later using
>>        string selinux_trans_to_raw_context(string $context).
>>    - All the AVC related interfaces are omitted, because I didn't
>>      assume PHP script works as a userspace object manager.
>>
>> * Step to build and installation
>>   % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
>>   % cd php-selinux
>>   % ./build-php-selinux.sh
>>          :
>>   Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm
>>   Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm
>>          :
>>   % su
>>   # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm
>>
>>   NOTE:
>>    - It requires "php-devel" and "libselinux-devel" are installed
>>      prior to ./build-php-selinux.sh
>>    - It requires "rpmbuild" works correctly. Please confirm your
>>      ~/.rpmmacros, if the script does not work correctly.
>>
>> * Example:
>>   % rpm -q php-selinux
>>   php-selinux-0.1626-beta.fc10.i386
>>   % php -r 'echo selinux_getcon()."\n";'
>>   unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle
>>   % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";'
>>   system_u:object_r:shadow_t
>>   % php -r '$tclass = selinux_string_to_class("file");
>>             $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0",
>>                                       "system_u:object_r:etc_t:s0",
>>                                       $tclass);
>>             var_dump($avd);'
>>   array(5) {
>>     ["allowed"]=>
>>     int(139347)
>>     ["decided"]=>
>>     int(-1)
>>     ["auditallow"]=>
>>     int(0)
>>     ["auditdeny"]=>
>>     int(-17)
>>     ["seqno"]=>
>>     int(41)
>>   }
>>
>> Thanks,


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

KaiGai Kohei wrote:
>> selinux_getcon() says that it returns false on error.  So false is a
>> legal string value in PHP?  And you don't mean the string "false", I
>> presume?  So it can be used in a conditional with the expected effect?
> 
> I belive we can discriminate between a legal string value and a bool one.
> This function is available to check either one is returned.
>   http://jp.php.net/manual/en/function.is-string.php
> 
> However, it is necessary to note that "false" is casted to empty string
> when we compare them without special care, like:
> 
>   $ php -r 'if ("" == false)
>                 echo "hello!\n";'
>   hello!
> 
> I'll confirm PHP developers whether we can consider "false" can be
> an error condition on functions which return string, or not.

I was suggested to use "===" operator in the PHP list.
It requires both of left and right side have same type and value,
so we can discriminate between legal strings (including empty one)
and error status.

  http://jp.php.net/manual/en/language.operators.comparison.php

>> security classes can be unsigned integers or their own type.
>> access vectors can be unsigned integers, bitfields, or their own type.
>> Or we could only deal with security classes and access vectors as
>> strings and lists of strings respectively for PHP, and map them back and
>> forth to integers within the wrappers.
> 
> I think it is good idea.
> 
> You are saying such an interface, aren't you?
> 
>   selinux_compute_av("staff_t:staff_r:staff_t",
>                      "system_u:object_r:shadow_t",
>                      "file");
>   It returns an associative array which contains three subarray
>   named as "allowed", "auditallow", "auditdeny".

I tried to implement the revised one.

We can check its result like:
  $avd = selinux_compute_av(...);
  $allowed = $avd["allowed"];
  if ($allowed["read"] && $allowed["getattr"])
      echo "Readable!\n";

------
$ php -r '$scontext = "staff_u:staff_r:staff_t";
          $tcontext="system_u:object_r:etc_t";
          $avd = selinux_compute_av($scontext, $tcontext, "file");
          var_dump($avd["allowed"]);'
array(21) {
  ["ioctl"]=>
  bool(true)
  ["read"]=>
  bool(true)
  ["write"]=>
  bool(false)
  ["create"]=>
  bool(false)
  ["getattr"]=>
  bool(true)
  ["setattr"]=>
  bool(false)
  ["lock"]=>
  bool(true)
  ["relabelfrom"]=>
  bool(false)
  ["relabelto"]=>
  bool(false)
  ["append"]=>
  bool(false)
  ["unlink"]=>
  bool(false)
  ["link"]=>
  bool(false)
  ["rename"]=>
  bool(false)
  ["execute"]=>
  bool(true)
  ["swapon"]=>
  bool(false)
  ["quotaon"]=>
  bool(false)
  ["mounton"]=>
  bool(false)
  ["execute_no_trans"]=>
  bool(true)
  ["entrypoint"]=>
  bool(false)
  ["execmod"]=>
  bool(false)
  ["open"]=>
  bool(false)
}

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei]

Today, I updated the PHP/SELinux package as follows:

 http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux
 http://code.google.com/p/sepgsql/source/browse/misc/php-selinux/

 - bugfix: selinux_is_enabled() and selinux_mls_is_enabled() returned TRUE
   on errors.
 - cleanup: remove redundant length == 0 checks
 - upgrade: selinux_compute_av(), selinux_compute_create(),
   selinux_compute_relabel() and selinux_compute_member() accept $tclass
   described in text form, such as "file".
 - upgrade: selinux_compute_av() returns a set of associative arrays
   which contain true or false for each permissions.
 - The following functions are added:
   - selinux_file_label_lookup()
   - selinux_media_label_lookup()
   NOTE: Is the selinux_x_label_lookup() necessary?
 - The following functions are removed:
   - selinux_string_to_class()
   - selinux_class_to_string()
   - selinux_string_to_av_perm()
   - selinux_av_perm_to_string()
   - selinux_av_string()
   - selinux_matchpathcon()
   - selinux_lsetfilecon_default()

TODO:
 - Move them into PECL repository. (http://pecl.php.net/)
 - Make a request to merge this package into Fedora project.
   (libselinux-php? php-selinux?)
 - Describe reference manual based on PHP community's manner
   (http://jp.php.net/manual/en/index.php)

Thanks,

KaiGai Kohei wrote:
> KaiGai Kohei wrote:
>>> selinux_getcon() says that it returns false on error.  So false is a
>>> legal string value in PHP?  And you don't mean the string "false", I
>>> presume?  So it can be used in a conditional with the expected effect?
>> I belive we can discriminate between a legal string value and a bool one.
>> This function is available to check either one is returned.
>>   http://jp.php.net/manual/en/function.is-string.php
>>
>> However, it is necessary to note that "false" is casted to empty string
>> when we compare them without special care, like:
>>
>>   $ php -r 'if ("" == false)
>>                 echo "hello!\n";'
>>   hello!
>>
>> I'll confirm PHP developers whether we can consider "false" can be
>> an error condition on functions which return string, or not.
> 
> I was suggested to use "===" operator in the PHP list.
> It requires both of left and right side have same type and value,
> so we can discriminate between legal strings (including empty one)
> and error status.
> 
>   http://jp.php.net/manual/en/language.operators.comparison.php
> 
>>> security classes can be unsigned integers or their own type.
>>> access vectors can be unsigned integers, bitfields, or their own type.
>>> Or we could only deal with security classes and access vectors as
>>> strings and lists of strings respectively for PHP, and map them back and
>>> forth to integers within the wrappers.
>> I think it is good idea.
>>
>> You are saying such an interface, aren't you?
>>
>>   selinux_compute_av("staff_t:staff_r:staff_t",
>>                      "system_u:object_r:shadow_t",
>>                      "file");
>>   It returns an associative array which contains three subarray
>>   named as "allowed", "auditallow", "auditdeny".
> 
> I tried to implement the revised one.
> 
> We can check its result like:
>   $avd = selinux_compute_av(...);
>   $allowed = $avd["allowed"];
>   if ($allowed["read"] && $allowed["getattr"])
>       echo "Readable!\n";
> 
> ------
> $ php -r '$scontext = "staff_u:staff_r:staff_t";
>           $tcontext="system_u:object_r:etc_t";
>           $avd = selinux_compute_av($scontext, $tcontext, "file");
>           var_dump($avd["allowed"]);'
> array(21) {
>   ["ioctl"]=>
>   bool(true)
>   ["read"]=>
>   bool(true)
>   ["write"]=>
>   bool(false)
>   ["create"]=>
>   bool(false)
>   ["getattr"]=>
>   bool(true)
>   ["setattr"]=>
>   bool(false)
>   ["lock"]=>
>   bool(true)
>   ["relabelfrom"]=>
>   bool(false)
>   ["relabelto"]=>
>   bool(false)
>   ["append"]=>
>   bool(false)
>   ["unlink"]=>
>   bool(false)
>   ["link"]=>
>   bool(false)
>   ["rename"]=>
>   bool(false)
>   ["execute"]=>
>   bool(true)
>   ["swapon"]=>
>   bool(false)
>   ["quotaon"]=>
>   bool(false)
>   ["mounton"]=>
>   bool(false)
>   ["execute_no_trans"]=>
>   bool(true)
>   ["entrypoint"]=>
>   bool(false)
>   ["execmod"]=>
>   bool(false)
>   ["open"]=>
>   bool(false)
> }
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.