From ea69a0a9bfbcc4312c2479884c105511e5252ce9 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <a.miroshnichenko@rbk.money>
Date: Wed, 20 May 2020 15:52:04 +0300
Subject: [PATCH] add selinux-nginx rule to read cert_t (#75)

---
 sec-policy/selinux-custom-server/files/custom-server.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sec-policy/selinux-custom-server/files/custom-server.te b/sec-policy/selinux-custom-server/files/custom-server.te
index 6b96b6b..0ca4f30 100644
--- a/sec-policy/selinux-custom-server/files/custom-server.te
+++ b/sec-policy/selinux-custom-server/files/custom-server.te
@@ -22,6 +22,7 @@ optional_policy(`
 	')
 
 	allow nginx_t self:capability { dac_override dac_read_search };
+	miscfiles_read_generic_certs(nginx_t)
 
 	tunable_policy(`nginx_can_read_ebuild',`
 		portage_read_ebuild(nginx_t)