By default, CGI will run as httpd_t domain. httpd_t domain is a domain for Apache Web Server, but domain is inherited to child programs by default. If you want to change domain for CGI, you have to use domain_trans element. You can give CGI programs individual domain. If you place your CGI in /var/www/cgi-bin, and give it cgi_t domain, create cgi_t.sp like below.
{
domain cgi_t;
domain_trans httpd_t /var/www/cgi-bin/**;
include common-relaxed.sp;
##### allowxxx will be here...
}
For PHP, you can not change domain from httpd_t. It is because PHP is internally executed not using exec system call. SELinux can not give domain for such case, unless PHP is extended to use SELinux system call.
{
domain foo_t;
deny /etc/shadow;
allow /etc/** r,s;
}
In above, foo_t is allowed to all files by allow /etc/**, but can not
access /etc/shadow.
To access /etc/shadow, you have to write allow /etc/shadow
explicitly.
Some deny elements are written by default in include/common-relaxed.xp