From 5c9038ec9863463de0eb82badf8f45fb2374780b Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Sun, 19 Nov 2023 22:44:27 +0100
Subject: [PATCH] Create new TLS Private Keys file contexts for the Apache HTTP
 server according to the default locations:

 http://www.apache.com/how-to-setup-an-ssl-certificate-on-apache

Add the correct TLS Private Keys file label for Debian
systems.

This patch fixes a serious Information Disclosure
vulnerability caused by the erroneous labeling of
TLS Private Keys and CSR, as explained above.

See: https://github.com/SELinuxProject/refpolicy/issues/735

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    3 +++
 1 file changed, 3 insertions(+)
---
 policy/modules/system/miscfiles.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 10ece10dc1..8647ca292e 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -10,10 +10,13 @@ ifdef(`distro_gentoo',`
 #
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/conf/ssl(/.*)?	--	gen_context(system_u:object_r:tls_privkey_t,s0)
+/etc/httpd/conf/ssl/.*\.crt	--	gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_debian',`