httpd controls ?

Stephen Smalley sds at
Wed Mar 30 16:07:18 UTC 2005

On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote:
> That's a very good point and really bears spelling out.  How would one
> go about creating the new domain and then implementing the proper
> transition for just one set of CGI scripts?  I ask because I (was)
> running Open WebMail and ran into the case where I needed to
> effectively disable SELinux controls over all CGI scripts to allow OWM
> to run.  I would have preferred the case where these controls were
> removed *only* for the relavent scripts, allowing the remaining
> scripts to keep the protections afforded by the default policy.

Easiest way to create a domain presently is to copy an existing one and
edit it, using your favorite filter to replace all occurrences of the
old prefix with a new one.  By introducing a separate _exec_t type for
the new domain (e.g. httpd_passwd_exec_t) and assigning that type to the
particular CGI script in question (manually with chcon or via restorecon
after updating your file_contexts), you only affect that particular

Possible resources:
The RHEL4 SELinux Guide,
- Understanding and Customizing the Apache HTTP SELinux Policy,
- Sourceforge SELinux HOWTOs
- SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty,
- Tresys Technology Policy Writing Course Slides,
- Configuring the SELinux Policy,

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list