On Wed, 2005-03-30 at 09:32 -0600, Christofer C. Bell wrote: > Look into use of the audit2allow utility for converting denied > messages into rules that allow the behavior that was denied. The the > short of it is: > > # cd /etc/selinux/targeted/src > # audit2allow -d -l -o domains/misc/local.te && make load > > Repeat until your script works and then clean up the local.te file's > formatting (not necessary). The problem with the above sequence is it will directly allow those permissions to the original domain of the script; hence, all CGI scripts would end up having those permissions. Better to define a separate httpd_passwd_t domain modeled after the passwd_t domain in the strict policy and set up a domain transition into this domain only for the script in question. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency
