Creating a SElinux module for cgi scripts
SELinux is a security framework to enforce security polices. In the
default set up of SELinux many external accessible daemons have polices
that restrict access to the system. In this way these polices are an
extra layer of protection for the system.
In many cases these restrictions are useful. But there are cases where
you want to allow access which is prohibited by the default policy.
One example of such a restriction is that general access to "/proc" is not
allowed from the webserver. This restriction will prevent to create a
complete listing of "ps -ef" from a cgi script.
We will demonstrate how to create a SElinux module which allows this
access for just one script without disabling SElinux.