Re: PHP/SELinux: libselinux wrappers

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Thu, 2009-02-26 at 15:22 +0900, KaiGai Kohei wrote:
>> Hi,
>>
>> I tried to implement a libselinux wrapper for PHP script language
>> several months ago.
>>
>> Now, I have a plan to propose the facility into official extensions
>> of PHP community, called as PECL (PHP Extension Community Library),
>> and Fedora project.
>>
>> Before that, I would like folks to check the list of supported APIs.
>>
>> * The list of APIs : PHP/SELinux binding
>>   http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux
> 
> Sorry for not looking at this previously.  Userspace folks, please take
> a look before we are locked into an API for PHP scripts.
> 
> I have no knowledge of PHP, so with that in mind:
> 
> I take it that php doesn't namespace the functions by module name,
> unlike python?  And thus you felt the need to change the names of the
> functions to use a selinux_ prefix?
> 
> selinux_is_enabled() aka is_selinux_enabled() can also return < 0 if
> there is an error when trying to determine whether SELinux is in fact
> enabled.  So it either needs an int return value or you could have your
> php wrapper test for that case internally and return false.  Most C code
> is using is_selinux_enabled() > 0 as the test for selinux-enabled.
> 
> selinux_getcon() says that it returns false on error.  So false is a
> legal string value in PHP?  And you don't mean the string "false", I
> presume?  So it can be used in a conditional with the expected effect?
> 
> selinux_getpidcon() takes an int pid in your interface vs pid_t in
> libselinux.  Is there no type defined for process identifiers in PHP?
> 
> security classes can be unsigned integers or their own type.
> access vectors can be unsigned integers, bitfields, or their own type.
> Or we could only deal with security classes and access vectors as
> strings and lists of strings respectively for PHP, and map them back and
> forth to integers within the wrappers.
> 
> matchpathcon is being deprecated in favor of the selabel* interfaces.
> 
>>   NOTE:
>>    - All the "_raw" interfaces are omitted, because we can translate
>>      a human readable format into a system one later using
>>        string selinux_trans_to_raw_context(string $context).
>>    - All the AVC related interfaces are omitted, because I didn't
>>      assume PHP script works as a userspace object manager.
>>
>> * Step to build and installation
>>   % svn checkout http://sepgsql.googlecode.com/svn/misc/php-selinux
>>   % cd php-selinux
>>   % ./build-php-selinux.sh
>>          :
>>   Wrote: /home/kaigai/RPMS/SRPMS/php-selinux-0.1626-beta.fc10.src.rpm
>>   Wrote: /home/kaigai/RPMS/RPMS/i386/php-selinux-0.1626-beta.fc10.i386.rpm
>>          :
>>   % su
>>   # rpm -Uvh /path/to/package/php-selinux-0.1626-beta.fc10.i386.rpm
>>
>>   NOTE:
>>    - It requires "php-devel" and "libselinux-devel" are installed
>>      prior to ./build-php-selinux.sh
>>    - It requires "rpmbuild" works correctly. Please confirm your
>>      ~/.rpmmacros, if the script does not work correctly.
>>
>> * Example:
>>   % rpm -q php-selinux
>>   php-selinux-0.1626-beta.fc10.i386
>>   % php -r 'echo selinux_getcon()."\n";'
>>   unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemMiddle
>>   % php -r 'echo selinux_getfilecon("/etc/shadow")."\n";'
>>   system_u:object_r:shadow_t
>>   % php -r '$tclass = selinux_string_to_class("file");
>>             $avd = selinux_compute_av("staff_u:staff_r:staff_t:s0",
>>                                       "system_u:object_r:etc_t:s0",
>>                                       $tclass);
>>             var_dump($avd);'
>>   array(5) {
>>     ["allowed"]=>
>>     int(139347)
>>     ["decided"]=>
>>     int(-1)
>>     ["auditallow"]=>
>>     int(0)
>>     ["auditdeny"]=>
>>     int(-17)
>>     ["seqno"]=>
>>     int(41)
>>   }
>>
>> Thanks,
I would rather package this up as part of libselinux, perhaps
libselinux-php, rather then make a new package.

I have had requests for a libsemanage-ruby if anyone wants to delve into it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmmreIACgkQrlYvE4MpobPevwCgqlI2Cterk8wGrpzZBiEmEDVi
TPkAoOmuVT5O1W/R59pLGCU8XfgLwd8Z
=ONgB
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.