How do I disable SELinux for a subprocess launched from Apache?

Question

My Apache module launches a helper subprocess which does, for example, but not limited by, the following things:

• It sets up a socket so that it can communicate with Apache.
• Reads and writes files in a temporary location that is deleted when Apache exits. These files are used e.g. for storing large amounts of data received over the network, in case that data does not comfortably fit in RAM.
• It spawns user-specified executables. Similar to CGI. Each of these spawned processes are run as their own dedicated user.

The helper subprocess is launched as root so that it can manage file ownerships and permissions and can spawn more processes as specific users.

Some users of my module run on systems with SELinux installed, e.g. RedHat-based distros. SELinux usually interferes with my module. Until now I've been telling people to disable SELinux system-wide because I can't figure out how to write a proper policy for my software. Documentation is very scattered, complex and usually only targets system administrators, not software developers.

As a step into the right direction, I want to implement minimal support for SELinux. I'm looking for a way to launch my helper subprocess without any SELinux constraints without disabling SELinux system-wide. Is there a way to do that, and if so, how?

Answer 1

Well... you could write a rule that transitions your domain to unconfined_t, but then you'd piss off quite a few sysadmins. Best to write yourself a new domain that inherits from httpd_t and also adds the appropriate contexts for access.