pecl / selinux
SELinux binding for PHP language
Installs: 1
Dependents: 0
Suggesters: 0
Security: 0
Stars: 8
Watchers: 9
Forks: 8
Language:C
Type:php-ext
Requires
- php: >= 7.0.0
This package is auto-updated.
Last update: 2024-10-28 22:39:26 UTC
README
README: php-selinux package =========================== The php-selinux package is an extension to the PHP Hypertext Preprocessor. It wraps the libselinux library and provides a set of interfaces to the PHP runtime engine. The libselinux is a set of application program interfaces towards in-kernel SELinux, contains get/set security context, communicate security server, translate between raw and readable format and so on. REFERENCE MANUAL ================ * Global SELinux state bool selinux_is_enabled(void) It returns true if SELinux is running, or false if it is not. bool selinux_mls_is_enabled(void) It returns true if SELinux us running in MLS more, or false if it is not. int selinux_getenforce(void) It returns 0 if SELinux is running in permissive mode, 1 if it is running in enforcing mode, and -1 on error. bool selinux_setenforce(int $mode) It sets SELinux to enforcing mode if the value 1 is passed in, and sets it to permissive mode if 0 is passed in. On success 0 is returned, on error -1 is returned. int selinux_policyvers(void) It returns the version of the policy (a positive integer) on success, or -1 on error. bool selinux_deny_unknown(void) It returns true if SELinux handles unknown classes/permissions as 'denied', or false elsewhere. * Get/Set security attributes of processes string selinux_getcon(void) It retrieves the context of the current process, or false on error. bool selinux_setcon(string $context) It sets the current security context of the process to a new value. Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via selinux_setexeccon(). When possible, decompose your applicaiton and use selinux_setexeccon() and pcntl_exec() instead. string selinux_getpidcon(int $pid) It returns the process context for the specified PID. string selinux_getprevcon(void) It is same as getcon but gets the context before the last exec. string selinux_getexeccon(void) It retrieves the context used for executing a new process, or false on error. The returned value can be an empty string which means no exec context has been explicitly set by the program (i.e. using the default policy behavior). bool selinux_setexeccon(string $context) It sets the context used for the next execve call. An empty string can be passed to reset to the default policy behavior. The exec context is automatically reset after the next execve(2), so a program doesn't need to explicitly sanitize it upon startup. This configured context can be applied prior to library functions that internally perform an execve, e.g. execl, execv, popen, in order to set an exec context for that operation. Note: Signal handlers that perform a selinux_setexecon must take care to save, reset, and restore the exec context to avoid unexpected behavior. string selinux_getfscreatecon(void) It retrieves the context used for creating a new file system object, or false on error. The returned value can be an empty string which means no fscreate context has been explicitly set by the program (i.e. using the default policy behavior). bool selinux_setfscreatecon(string $context) It sets the context used for creating a new file system object. An empty string can be passed to reset to the default policy behavior. The fscreate context is automatically reset after the next execve(2), so a program doesn't need to explicitly sanitize it upon startup. This configured context can be applied prior to library functions that internally perform an file creation, in order to set an file context on the objects. Note: Signal handlers that perform a selinux_setfscreate must take care to save, reset, and restore the fscreate context to avoid unexpected behavior. string selinux_getkeycreatecon(void) It retrieves the context used for creating a new kernel keyring, or false on error. The returned value can be an empty string which means no keycreate context has been explicitly set by the program (i.e. using the default policy behavior). bool selinux_setkeycreatecon(string $context) It sets the context used for creating a new kernel keyring. An empty string can be passed to reset to the default policy behavior. The keycreate context is automatically reset after the next execve(2), so a program doesn't need to explicitly sanitize it upon startup. This configured context can be applied prior to library functions that internally perform a keyring creation, in order to set a keyring context on the objects. Note: Signal handlers that perform a selinux_setkeycreate must take care to save, reset, and restore the keycreate context to avoid unexpected behavior. string selinux_getsockcreatecon(void) It retrieves the context used for creating a new socket object, or false on error. The returned value can be an empty string which means no sockcreate context has been explicitly set by the program (i.e. using the default policy behavior). bool selinux_setsockcreatecon(string $context) It sets the context used for creating a new labeled network sockets. An empty string can be passed to reset the default policy behavior. The sockcreate context is automatically reset after the next execve(2), so a program doesn't need to explicitly sanitize it upon startup. This configured context can be applied prior to library functions that internally perform a socket creation, in order to set a socket context on the objects. Note: Signal handlers that perform selinux_setsockcreate must take care to save, reset, and restore the sockcreate context to avoid unexpected behavior. * Get/Set file context API string selinux_getfilecon(string $path) It retrieves the context associated with the given path in the file system, or false on error. string selinux_lgetfilecon(string $path) It is identical to selinux_getfilecon, except in the case of a symbolic link, where the link itself is interrogated, not the file that it refers to. string selinux_fgetfilecon(resource $stream) It is identical to selinux_getfilecon, only the open file pointed to by $stream (as returned by fopen()) is interrogated in place of path. bool selinux_setfilecon(string $path, string $context) It sets the security context of the file system object and returns true, or false on error. bool selinux_lsetfilecon(string $path, string $context) It is identical to selinux_setfilecon, except in the case of a symbolic link, where the link itself is interrogated, not the file that it refers to. bool selinux_fsetfilecon(resource $stream, string $context) It is identical to selinux_setfilecon, only the open file pointed to by $stream (as returned by fopen())is interrogated in place of path. * Labeled Networking string selinux_getpeercon(resource $stream) It retrieves context of peer socket which is given by $stream (opened by stream_socket API). * Communication to in-kernel security policy array selinux_compute_av(string $scontext, string $tcontext, string $tclass) It queries whether the policy permits the source context $scontext to access the target context $tcontext via class $tclass with the requested access vector. See the cron source for a usage example, and returns an associative array which contains access vector decision, or false on error. The returned associative array contains five keys ("allowed", "auditallow", "auditdeny", "seqno" and "permissive"). The leading three are also associative arrays which contains pairs of a permission name and bool value. The "seqno" shows the generation of the working policy, and the "permissive" shows whether we should handle the $scontext as permissive domain, or not. $ php -r '$scontext = "staff_u:staff_r:staff_t:s0"; $tcontext = "system_u:object_r:etc_t:s0"; $avd = selinux_compute_av($scontext, $tcontext, "file"); var_dump($avd["allowed"]);' array(21) { ["ioctl"]=> bool(true) ["read"]=> bool(true) ["write"]=> bool(false) ["create"]=> bool(false) : ["execmod"]=> bool(false) ["open"]=> bool(false) } string selinux_compute_create(string $scontext, string $tcontext, string $tclass [, string $object_name]) It is used to compute a context to use for labeling a new object in a particular class based on a pair of security contexts. The 4th argument is optional; that allows to give object name being constructed. string selinux_compute_relabel(string $scontext, string $tcontext, string $tclass) It is used to compute the new context to use when relabeling an object, it is used in the pam_selinux.so source and the newrole source to determine the correct label for the tty at login time, but can be used for other things. string selinux_compute_member(string $scontext, string $tcontext, string $tclass) It is used to compute the context to use when labeling a polyinstantiated object instance. array selinux_compute_user(string $scontext, string $username) It is used to determine the set of user contexts that can be reached from a source context. Is mainly used by get_ordered_context_list. * Initial security context support string selinux_get_initial_context(string $name) It is used to get the context of a kernel initial security identifier specified by $name. * Sanity checks for security context bool selinux_check_context(string $context) It returns true if SELinux is running and the $context is valid, otherwise it returns false. string selinux_canonicalize_context(string $context) It returns canonicalized security context if the $context is valid, otherwise it returns false. * Booleans array selinux_get_boolean_names(void) It returns a list of boolean names, currently supported by the loaded policy. int selinux_get_boolean_pending(string $bool_name) It returns pending value (0 or 1) for boolean specified by $bool_name, or -1 on error. int selinux_get_boolean_active(string $bool_name) It returns active value (0 or 1) for boolean specified by $bool_name, or -1 on error. bool selinux_set_boolean(string $bool_name, bool $bool_value) It sets the pending value ($bool_value) for boolean specified by $bool_name. bool selinux_commit_booleans(void) It commit all pending values for the booleans. * Mcstrans support string selinux_trans_to_raw_context(string $context) It performs context translation from the human-readable format ("translated") to the internal system format ("raw"), and returns the raw format string, or false on error. string selinux_raw_to_trans_context(string $context) It performs context translation from the internal system format ("raw") to the human-readable format ("translated"), and returns the human-readable format string, or false on error. * selabel wrappers string selinux_file_label_lookup(string $pathname, int $mode [, bool $validate [, bool $baseonly [, string $subset [, string $specfile]]]]) It returns an expected security context for the given $pathname and $mode based on the security policy configuration, or false on errors. We assume the result of lstat is delivered as $mode. The optional $validate is used to enable validation check for security contexts, and its default is false. The optional $baseonly is used to ignore local configuration, and its default is false. The optional $subset enables to restrict prefix of target files, and its default is null which means no restriction. The optional $specfile enables to specify own mapping, and its default is apply system default. string selinux_media_label_lookup(string $device [, bool $validate [, string $specfile]]) It returns an expected security context for the given $device, such as "cdrom" or "floppy". Optional arguments have same meanings to selinux_file_label_lookup(). string selinux_x_label_lookup(string $objname, string $objtype) It returns an expected security context managed by SE-X towards the given pair of $objname and $objtype. The $objtype should be one of "property", "extension", "client", "event", "selection", "poly_property" or "poly_selection". string selinux_db_label_lookup(string $objname, string $objtype) It returns an expected security context managed by SE-PostgreSQL towards the given pair of $objname and $objtype. The $objtype should be one of "database", "schema", "table", "column", "sequence", "view", "procedure", "blob", "tuple" or "language". * Configuration files string selinux_getenforcemode(void) It returns the initial state on the system, configured in /etc/selinux/config. string selinux_getpolicytype(void) It returns the default policy type on the system, configured in /etc/selinux/config. string selinux_policy_root(void) It returns the directory path which stores the policy and context configuration.