On Wed, 2005-03-30 at 09:32 -0600, Christofer C. Bell wrote:
Look into use of the audit2allow utility for converting denied
messages into rules that allow the behavior that was denied. The the
short of it is:
# cd /etc/selinux/targeted/src
# audit2allow -d -l -o domains/misc/local.te && make load
Repeat until your script works and then clean up the local.te file's
formatting (not necessary).
The problem with the above sequence is it will directly allow those
permissions to the original domain of the script; hence, all CGI scripts
would end up having those permissions. Better to define a separate
httpd_passwd_t domain modeled after the passwd_t domain in the strict
policy and set up a domain transition into this domain only for the
script in question.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency