On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote: > That's a very good point and really bears spelling out. How would one > go about creating the new domain and then implementing the proper > transition for just one set of CGI scripts? I ask because I (was) > running Open WebMail and ran into the case where I needed to > effectively disable SELinux controls over all CGI scripts to allow OWM > to run. I would have preferred the case where these controls were > removed *only* for the relavent scripts, allowing the remaining > scripts to keep the protections afforded by the default policy. Easiest way to create a domain presently is to copy an existing one and edit it, using your favorite filter to replace all occurrences of the old prefix with a new one. By introducing a separate _exec_t type for the new domain (e.g. httpd_passwd_exec_t) and assigning that type to the particular CGI script in question (manually with chcon or via restorecon after updating your file_contexts), you only affect that particular script. Possible resources: The RHEL4 SELinux Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ - Understanding and Customizing the Apache HTTP SELinux Policy, http://fedora.redhat.com/docs/selinux-apache-fc3/ - Sourceforge SELinux HOWTOs http://sourceforge.net/docman/?group_id=21266 - SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty, http://www.oreilly.com/catalog/selinux/ - Tresys Technology Policy Writing Course Slides, http://www.tresys.com/selinux/selinux-course-outline.html - Configuring the SELinux Policy, http://www.nsa.gov/selinux/papers/policy2-abs.cfm -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency
