--- a/phpfpm.fc
+++ b/phpfpm.fc
@@ -2,4 +2,5 @@
/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
/var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
+/var/run/php*-fpm/*.sock gen_context(system_u:object_r:phpfpm_var_run_t,s0)
--- a/phpfpm.if
+++ b/phpfpm.if
@@ -0,0 +1,18 @@
+
+########################################
+##
+## Connect to phpfpm using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`phpfpm_stream_connect',`
+ gen_require(`
+ type phpfpm_t, phpfpm_var_run_t;
+ ')
+ stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
+')
--- a/phpfpm.te
+++ b/phpfpm.te
@@ -29,6 +32,7 @@
allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
allow phpfpm_t self:udp_socket connected_socket_perms;
allow phpfpm_t self:unix_stream_socket accept;
+allow phpfpm_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
@@ -38,7 +42,8 @@
files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
+manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
kernel_read_kernel_sysctls(phpfpm_t)
@@ -78,6 +83,7 @@
optional_policy(`
postgresql_tcp_connect(phpfpm_t)
+ postgresql_stream_connect(phpfpm_t)
')
optional_policy(`