appropriately named the signup_t domain module new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)