CODEWITHSUNDEEP
phplinuxubuntuselinux
neubert
neubert

Reputation: 16782

detecting if someone has selinux installed / httpd_can_network_connect enabled

When SELinux is installed there's a setting - httpd_can_network_connect - that often prevents PHP's fsockopen() from making outbound connections when it was instantiated by a request coming in via HTTP.

I would like to be able to see, via PHP, if a system has SELinux / httpd_can_network_connect enabled. If so I'd present the user with a warning saying that this setting could interfere with the page.

I installed SELinux on an Ubuntu machine and altho httpd_can_network_connect doesn't even appear to be an option that's available to me SELinux none-the-less does appear to be installed and I'm not seeing any indications of it installed even in the phpinfo() output..

Any ideas?

Upvotes: 5

Views: 2809

Answers (3)

Daniel
Daniel

Reputation: 4735

To answer your question: getsebool httpd_can_network_connect. This will retrieve the status of the boolean in question.

Upvotes: 2

qwattash
qwattash

Reputation: 855

There are some php bindings for the libselinux userspace library that allows you (among other things) to get selinux booleans. See php-pecl-selinux in the fedora project packages archive. Here is the pecl page.

Among other things it defines the selinux_get_boolean_active function which should do the job for you, it takes the boolean name and returns a long or -1 on failure.

There is not much documentation online but you can refer to the libselinux man pages and summary for function signatures.

Hope this helps!

Upvotes: 2

Devon Bessemer
Devon Bessemer

Reputation: 35337

Not sure about selinux integration with PHP. You could use the shell command.

$getenforce = trim(shell_exec("getenforce"));
if ($getenforce == "Disabled" or $getenforce == "Permissive") {
    // good to go
}

Although, getenforce may not exist on all Linux systems, so you may want to test the function somehow. Here is something that may work for that:

exec("getenforce", $getenforce, $return);
if ($return or ($getenforce[0] == "Disabled" or $getenforce[0] == "Permissive")) {
    // good to go
}

As the return value should be greater than 0 if the user either doesn't have access to or the getenforce command doesn't exist.

Note: On my system, getenforce is in /usr/sbin, so you may need to specify the full path to getenforce if sbin isn't in the user's include path. There appear to be no restrictions on non-superusers running getenforce from my testing.

Upvotes: 5

Related Questions