Adding Permissions Using SELinux
Subject:   Better example needed
Date:   2004-12-19 17:20:52
From:   macemoneta
While the example shown is useful, a more common occurence would be that some PHP application (running under httpd_sys_script_t) needs a specific executable in /usr/bin/ (bin_t) that it doesn't have permission for (for example, ImageMagick utilities for image manipulation).

How would permission be granted for that purpose, without allowing all /usr/bin executables to be invoked? Clearly, the executable can't simply be relabeled in this case, since it is owned by another package (and the labeling change will be reverted with maintenance).

These are the kind of real-life "gotchas" that need a secure and maintainable approach for resolution.