On Thu, 2005-01-20 at 10:47 -0500, Daniel J Walsh wrote: > This sounds like a bug. A user executing a httpd script should not be > changing context to httpd_sys_script_t, correct? There's an explicit rule for this now, in macros/program/apache_macros.te: ifelse($1, sys, ` # # If a user starts a script by hand it gets the proper context # domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) role sysadm_r types httpd_$1_script_t; ', ` # If a user starts a script by hand it gets the proper context domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t) role $1_r types httpd_$1_script_t; We probably want to just drop this in targeted policy. In strict, we grant userdomains access to all the derived types such as httpd_sys_content_t, so not doing the transition (i.e. just changing it to can_exec, or maybe domain_trans) should allow the CGI script to continue to work, at first glance. But I have a feeling there was a particular reason policy has this rule; clearly it was intentional. I'll think about this for a bit.