If you organize your /var/www tree in a conventional manner, then it should work fairly smoothly. Problems arise when people put CGIs all over the place (not just in cgi- bin), and don't use any conventions in separating files that should be read-only vs. read-write.
OK, you are selling me on the /var/www tree. What is "a conventional manner." Needless to say you don't have to explain it all to me, perhaps you can point me to a resource that describes what you are talking about. For example, where do user PHP scripts live in this tree? Are they readable\writable by others?
Simplest thing to do is just to install policy sources and just allow the permissions you want, e.g. yum install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy repeat: audit2allow -d >> domains/misc/local.te make load
<retry operation> <goto repeat if it fails>
Might be quicker to switch to permissive mode (setenforce 0), run your CGI via apache, then run audit2allow once, as that will then collect _all_ of the audit messages that would have been denied in enforcing mode.
So selinux-policy-targeted-sources is something that lets me change policy?
And audit2allow is something that monitors what processes are open and "allows" them to pass through SELinux?
Thanks, -brett