The current tunable policy that enables the nginx http server is:
This tunable policy doesn't give access to any content with the context 'httpd_sys_rw_content_t'. An additionnal 'apache_read_all_rw_content(nginx_t)' would partialy fixe the problem.
It's probably ok to use "apache_manage_all_rw_content(nginx_t)".
The rw-content is content defined to be writeable by webservers, so...
Will be part of -r6 release. Is committed to repository so live ebuilds should already provide it.
In hardened-dev, r6 release
In main tree, ~arch'ed
r8 is now stable