Created attachment 323652 [details] Proposed patch to implement the enhancement The current phpfpm policy doesn't allow to use stream sockets. Here is a patch that at least partially allows it. Optional policies should also be added to the different servers, e.g for nginx: ''' optional_policy(` phpfpm_stream_connect(nginx_t) ') '''
Created attachment 323690 [details] phpfpm patch for hardened-refpolicy
Matthew, if you don't mind me changing the state of your bug(s) ;-) The patch is pulled in from refpolicy so will be part of -r6 (and is already in the live ebuilds).
I don't know if this should go in r6 given it's state upstream (dunno what's happening with it with grift doing what he wants with it...)
In hardened-dev, r6 release
In main tree, ~arch'ed
r8 is now stable