diff -urN default/domains/program/apache.te current/domains/program/apache.te
--- default/domains/program/apache.te	2002-10-17 01:24:36.000000000 +0200
+++ current/domains/program/apache.te	2002-10-25 18:26:35.000000000 +0200
@@ -55,9 +55,6 @@
 domain_auto_trans(initrc_t, httpd_exec_t, httpd_t)
 type_transition init_t httpd_exec_t:process httpd_t;
 
-# for php
-tmp_domain(httpd)
-
 #
 # A type for files in /var/run specific to httpd
 #
@@ -367,14 +364,14 @@
 
 ########################################
 # When the admin starts the server, the server wants to acess
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are commented out here. If you decide that access is needed,
-# then uncomment, but be aware that this will grant httpd access
-# to all sysadm_r TTYs and PTYs.
+# the TTY or PTY associated with the session. This is very bad
+# behaviour as it allows the server access to the sysadm_r TTYs
+# and PTYs, but apache2 doesn't work without.
+# If you run apache 1.x.x, try disabling this. For apache2,
+# this is currently the only solution.
 ##################################################
-allow httpd_t admin_tty_type:chr_file write;
-dontaudit httpd_t admin_tty_type:chr_file { read write };
+allow httpd_t admin_tty_type:chr_file { read write };
+
 
 ###########################
 # Allow httpd to receive messages from the network card
@@ -387,8 +384,7 @@
 allow httpd_t home_root_t:dir { getattr search };
 allow httpd_t user_home_dir_type:dir { getattr search };
 allow httpd_t user_home_type:dir { getattr search read };
-# need ioctl for php3
-allow httpd_t user_home_type:{ file lnk_file } { getattr read ioctl };
+allow httpd_t user_home_type:{ file lnk_file } { getattr read };
 dontaudit httpd_t sysadm_home_dir_t:dir { getattr search };
 
 ############################################################################
@@ -399,8 +395,7 @@
 #################################################
 # Allow the httpd_t to read the web servers config files
 ###################################################
-allow httpd_t httpd_config_t:file r_file_perms;
-allow httpd_t httpd_config_t:dir r_dir_perms;
+r_dir_file(httpd_t, httpd_config_t)
 # allow logrotate to read the config files for restart
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, httpd_config_t)
@@ -489,3 +484,41 @@
 # Uncomment the following line to enable:
 #can_exec(httpd_t, shell_exec_t)
 
+
+##################################################
+#
+# PHP Directives
+##################################################
+
+type httpd_php_exec_t, file_type, exec_type;
+type httpd_php_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# The user role is authorized for this domain.
+role system_r types httpd_php_t;
+
+general_domain_access(httpd_php_t)
+general_file_read_access(httpd_php_t)
+uses_shlib(httpd_php_t)
+can_exec(httpd_php_t, lib_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_files_t:file ra_file_perms;
+
+# access to /tmp
+type httpd_php_tmp_t, file_type, sysadmfile, tmpfile;
+file_type_auto_trans(httpd_php_t, tmp_t, httpd_php_tmp_t)
+
+# ignore these things, PHP seems to work fine without
+dontaudit httpd_php_t httpd_sys_script_t:dir { search };
+
+
+# connect to mysql
+ifdef(`mysqld.te', `
+can_unix_connect(httpd_php_t, mysqld_t)
+allow httpd_php_t var_run_mysqld_t:dir { search };
+allow httpd_php_t var_run_mysqld_t:sock_file { write };
+')
+
diff -urN default/file_contexts/program/apache.fc current/file_contexts/program/apache.fc
--- default/file_contexts/program/apache.fc	2002-10-17 01:24:36.000000000 +0200
+++ current/file_contexts/program/apache.fc	2002-10-25 17:45:24.000000000 +0200
@@ -3,6 +3,7 @@
 /var/www/mrtg(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/www/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_t
 /usr/lib/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_t
+/usr/lib/cgi-bin/php(3|4)?	system_u:object_r:httpd_php_exec_t
 /var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_t
 /var/www/icons(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/cache/httpd(/.*)?		system_u:object_r:httpd_cache_t