... but first things first. I wouldn't miss tonight's meeting for the world! I'm attempting to incorporate web-chpass (http://www.unicom.com/sw/web-chpass/) into my website running SELinux (Fedora Core 6). Since it's doing all sorts of things a web server has no business doing, I'm working on a new policy (with the help of system-config-selinux), which is almost correct. Unfortunately, I'm still getting: avc: denied { create } for comm="nipasswd" cwd="/var/www/secure/cgi-bin" dev=fd:00 egid=48 euid=0 exe="/usr/local/lib/web-chpass/nipasswd" exit=4 fsgid=48 fsuid=0 gid=48 inode=188244 item=1 items=2 mode=0100600 name="/etc/nshadow" obj=system_u:object_r:shadow_t:s0 ogid=48 ouid=0 pid=23759 rdev=00:00 scontext=user_u:system_r:httpd_webchpass_script_t:s0 sgid=48 subj=user_u:system_r:httpd_webchpass_script_t:s0 suid=0 tclass=file tcontext=system_u:object_r:shadow_t:s0 tty=(none) uid=0 audit2allow -R recommends: auth_manage_shadow(httpd_webchpass_script_t) and audit2allow (no arguments) recommends: allow httpd_webchpass_script_t shadow_t:file create; After recompiling and rechecking, I continue to get the same avc message. The script itself works fine in permissive mode, and I get the same message in either permissive or enforcing. It seems strange to be denied the access with the second rule above?!? If anybody could point me towards relevant resources, it would be much appreciated.