Create new TLS Private Keys file contexts for the

Apache HTTP server according to the default locations: http://www.apache.com/how-to-setup-an-ssl-certificate-on-apache Add the correct TLS Private Keys file label for Debian systems. This patch fixes a serious Information Disclosure vulnerability caused by the erroneous labeling of TLS Private Keys and CSR, as explained above. See: #735 Signed-off-by: Guido Trentalancia <[email protected]> --- policy/modules/system/miscfiles.fc | 3 +++ 1 file changed, 3 insertions(+)
SELinuxProject · Nov 19, 2023 · 5c9038e · 5c9038e
1 parent 662502a
commit 5c9038e
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
@@ -10,10 +10,13 @@ ifdef(`distro_gentoo',`
 #
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/conf/ssl(/.*)?	--	gen_context(system_u:object_r:tls_privkey_t,s0)
+/etc/httpd/conf/ssl/.*\.crt	--	gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_debian',`