-+++ policy-1.23.4/domains/program/unused/apache.te	2005-03-22 12:19:28.267021536 -0500
++++ policy-1.23.4/domains/program/unused/apache.te	2005-03-22 13:41:52.893324080 -0500
 @@ -42,6 +42,9 @@
  # Allow http daemon to communicate with the TTY
  bool httpd_tty_comm false;
@@ -200,18 +205,28 @@
  can_ypbind(httpd_t)
  
  ###################
-@@ -352,3 +360,8 @@
+@@ -352,3 +360,18 @@
  allow httpd_sys_script_t var_lib_t:dir search;
  dontaudit httpd_t selinux_config_t:dir search;
  r_dir_file(httpd_t, cert_t)
 +
++#
++# unconfined domain for apache scripts.  Only to be used as a last resort
++#
 +type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
-+type httpd_unconfined_t, domain;
-+unconfined_domain(httpd_unconfined_t)
-+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_t)
++type httpd_unconfined_script_t, domain, nscd_client_domain;
++role system_r types httpd_unconfined_script_t;
++unconfined_domain(httpd_unconfined_script_t)
++if (httpd_enable_cgi) {
++domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
++domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
++allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
++allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
++}
++