nginx doesn't have the right to connect to phpfpm through its unix socket. I think that an optional_policy should be added, containing 'phpfpm_stream_connect(nginx_t)' avc example: avc: denied { write } for pid=26089 comm="nginx" name="php-fpm.sock" dev="sda1" ino=537642 scontext=system_u:system_r:nginx_t tcontext=system_u:object_r:phpfpm_var_run_t tclass=sock_file
Is this sufficient (i.e. have you tested adding this)?
Yes, it is, at least on my server. I resolved the denies and the corresponding nginx error ('502 Bad Gateway' in the client and '[crit] 2017#0: *1230 connect() to unix:/var/run/php5-fpm/php-fpm.sock failed (13: Permission denied) while connecting to upstream' in the nginx logs) by adding this rule, 'phpfpm_stream_connect(nginx_t)', to my policies.
Great, thanks. Added in our repo, will also be part of r7
r7 is now in hardened-dev
In main tree, ~arch'ed
r8 is now stable