# vim:syntax=apparmor

# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
# /path/to/your/unix/socket rw,

#include <tunables/global>

/usr/bin/nginx {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/nis>
  #include <abstractions/openssl>

  capability setgid,
  capability setuid,

  # XXX: Maybe switch to "/etc/nginx/** r," ?
  /etc/nginx/*.conf r,
  /etc/nginx/*_params r,
  /etc/nginx/conf.d/* r,
  /etc/nginx/mime.types r,

  /run/nginx.pid rw,

  /usr/bin/nginx mr,

  /usr/share/nginx/html/* r,

  /var/log/nginx/* w,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.nginx>
}