Greetz,
So we asked a question on another list about how to avoid storing credentials
to a DB in files for said Apache server.
It was found then a great solution from PHP Cookbook suggesting
to use an "Include" file readable only by root with credentials and Apache then reads on
startand stores credentials as variables.
I would like to know if SELinux can block this attack?
For example, an attacker gets a reverse shell as apache:apache user
and they try to connect to DB.
What domain would they be in at time of shell (httpd_t)?
Would the DB be confined to some other domain?
Could they try and connect to DB after having read credentials from unsecured config file?
Is there a domain transition.
Thank you.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
