Creating a custom CGI domain
Sometimes, it might not be necessary to create a full set of types. Consider a CGI script that is triggered but without the need for a specific set of content types. Sure, one can mark the script as httpd_sys_script_exec_t (if it is a system's CGI script) or httpd_user_script_exec_t (if it is a user's custom CGI script) so that the resulting script runs in the httpd_sys_script_t or httpd_user_script_t domain.
But, if those domains do not hold enough privileges (or too many privileges), it might be wise to create a custom CGI domain instead.
How to do it…
To create a custom CGI domain, the following approach can be used:
Create a custom SELinux policy module (
mycgiscript.te) with the following content:policy_module(mycgiscript, 0.1) type cgiscript_t; type cgiscript_exec_t; domain_type(cgiscript_t) domain_entry_file(cgiscript_t, cgiscript_exec_t) apache_cgi_domain(cgiscript_t, cgiscript_exec_t)
Create the proper file context file (
mycgiscript.fc), marking the executable...
