Re: PHP/SELinux: libselinux wrappers

[KaiGai Kohei <kaigai@ak.jp.nec.com>]

Today, I updated the PHP/SELinux package as follows:

 http://code.google.com/p/sepgsql/wiki/Memo_PHP_SELinux
 http://code.google.com/p/sepgsql/source/browse/misc/php-selinux/

 - bugfix: selinux_is_enabled() and selinux_mls_is_enabled() returned TRUE
   on errors.
 - cleanup: remove redundant length == 0 checks
 - upgrade: selinux_compute_av(), selinux_compute_create(),
   selinux_compute_relabel() and selinux_compute_member() accept $tclass
   described in text form, such as "file".
 - upgrade: selinux_compute_av() returns a set of associative arrays
   which contain true or false for each permissions.
 - The following functions are added:
   - selinux_file_label_lookup()
   - selinux_media_label_lookup()
   NOTE: Is the selinux_x_label_lookup() necessary?
 - The following functions are removed:
   - selinux_string_to_class()
   - selinux_class_to_string()
   - selinux_string_to_av_perm()
   - selinux_av_perm_to_string()
   - selinux_av_string()
   - selinux_matchpathcon()
   - selinux_lsetfilecon_default()

TODO:
 - Move them into PECL repository. (http://pecl.php.net/)
 - Make a request to merge this package into Fedora project.
   (libselinux-php? php-selinux?)
 - Describe reference manual based on PHP community's manner
   (http://jp.php.net/manual/en/index.php)

Thanks,

KaiGai Kohei wrote:
> KaiGai Kohei wrote:
>>> selinux_getcon() says that it returns false on error.  So false is a
>>> legal string value in PHP?  And you don't mean the string "false", I
>>> presume?  So it can be used in a conditional with the expected effect?
>> I belive we can discriminate between a legal string value and a bool one.
>> This function is available to check either one is returned.
>>   http://jp.php.net/manual/en/function.is-string.php
>>
>> However, it is necessary to note that "false" is casted to empty string
>> when we compare them without special care, like:
>>
>>   $ php -r 'if ("" == false)
>>                 echo "hello!\n";'
>>   hello!
>>
>> I'll confirm PHP developers whether we can consider "false" can be
>> an error condition on functions which return string, or not.
> 
> I was suggested to use "===" operator in the PHP list.
> It requires both of left and right side have same type and value,
> so we can discriminate between legal strings (including empty one)
> and error status.
> 
>   http://jp.php.net/manual/en/language.operators.comparison.php
> 
>>> security classes can be unsigned integers or their own type.
>>> access vectors can be unsigned integers, bitfields, or their own type.
>>> Or we could only deal with security classes and access vectors as
>>> strings and lists of strings respectively for PHP, and map them back and
>>> forth to integers within the wrappers.
>> I think it is good idea.
>>
>> You are saying such an interface, aren't you?
>>
>>   selinux_compute_av("staff_t:staff_r:staff_t",
>>                      "system_u:object_r:shadow_t",
>>                      "file");
>>   It returns an associative array which contains three subarray
>>   named as "allowed", "auditallow", "auditdeny".
> 
> I tried to implement the revised one.
> 
> We can check its result like:
>   $avd = selinux_compute_av(...);
>   $allowed = $avd["allowed"];
>   if ($allowed["read"] && $allowed["getattr"])
>       echo "Readable!\n";
> 
> ------
> $ php -r '$scontext = "staff_u:staff_r:staff_t";
>           $tcontext="system_u:object_r:etc_t";
>           $avd = selinux_compute_av($scontext, $tcontext, "file");
>           var_dump($avd["allowed"]);'
> array(21) {
>   ["ioctl"]=>
>   bool(true)
>   ["read"]=>
>   bool(true)
>   ["write"]=>
>   bool(false)
>   ["create"]=>
>   bool(false)
>   ["getattr"]=>
>   bool(true)
>   ["setattr"]=>
>   bool(false)
>   ["lock"]=>
>   bool(true)
>   ["relabelfrom"]=>
>   bool(false)
>   ["relabelto"]=>
>   bool(false)
>   ["append"]=>
>   bool(false)
>   ["unlink"]=>
>   bool(false)
>   ["link"]=>
>   bool(false)
>   ["rename"]=>
>   bool(false)
>   ["execute"]=>
>   bool(true)
>   ["swapon"]=>
>   bool(false)
>   ["quotaon"]=>
>   bool(false)
>   ["mounton"]=>
>   bool(false)
>   ["execute_no_trans"]=>
>   bool(true)
>   ["entrypoint"]=>
>   bool(false)
>   ["execmod"]=>
>   bool(false)
>   ["open"]=>
>   bool(false)
> }
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.