Write SELinux policy so that we don't need to blanketly disable it

[henn]

If one doesn't disable SELinux, apache will hit interesting bugs like this:

mod_wsgi (pid=5618): Target WSGI script '/var/www/haas/haas.wsgi' cannot be loaded as Python module.
mod_wsgi (pid=5618): Exception occurred processing WSGI script '/var/www/haas/haas.wsgi'.
Traceback (most recent call last):
  File "/var/www/haas/haas.wsgi", line 2, in <module>
    import haas.api
  File "/usr/lib/python2.7/site-packages/haas-0.2rc2-py2.7.egg/haas/api.py", line 21, in <module>
    from schema import Schema, Optional
ImportError: No module named schema
mod_wsgi (pid=5618): Target WSGI script '/var/www/haas/haas.wsgi' cannot be loaded as Python module.
mod_wsgi (pid=5618): Exception occurred processing WSGI script '/var/www/haas/haas.wsgi'.
Traceback (most recent call last):
  File "/var/www/haas/haas.wsgi", line 2, in <module>
    import haas.api
  File "/usr/lib/python2.7/site-packages/haas-0.2rc2-py2.7.egg/haas/api.py", line 21, in <module>
    from schema import Schema, Optional
ImportError: No module named schema

Currently, we recommend disabling SELinux wholeheartedly, but this is an extreme measure.

Better would be if we could either:

1. Disable SELinux for just the haas WSGI applet itself or Apache, or even better:
2. Write a default policy using audit2allow