Use entry_file as entry_point to domain transition.

Squash with e9f4178aa052c15ac7919a06e0c226b846ef7c7b
Duplicate TE rule.

policy/modules/services/apache.if

@@ -50,8 +50,6 @@ template(`apache_content_template',`
 
 	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
 
-	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
 	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 
@@ -132,6 +130,8 @@ template(`apache_content_template',`
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
 
+		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
 		# privileged users run the script:
 		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
 

policy/modules/services/apache.te

@@ -946,10 +946,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')
 
-tunable_policy(`httpd_enable_cgi',`
-	domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
-')
-
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)