-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/03/2013 12:21 PM, Robert Gabriel wrote: > Greetz, > > So we asked a question on another list about how to avoid storing > credentials > > to a DB in files for said Apache server. > > It was found then a great solution from PHP Cookbook suggesting > > to use an "Include" file readable only by root with credentials and Apache > then reads on > > startand stores credentials as variables. > > I would like to know if SELinux can block this attack? SELinux will only allow httpd_t to read files with the correct label, so if the credentials had a label the httpd_t was not allowed to read, SELinux would block it. > > For example, an attacker gets a reverse shell as apache:apache user > > and they try to connect to DB. > > What domain would they be in at time of shell (httpd_t)? > php scripts would ordinarily run as httpd_t. > Would the DB be confined to some other domain? > If DB is a running process like mysql or postgresql then yes. If the DB is started via init and SELinux does not know about it, it will run as initrc_t. > Could they try and connect to DB after having read credentials from > unsecured config file? > They could try, but if httpd_t is not allowed to communicate with the process that is running the DB then SELinux would block it. > Is there a domain transition. > Doubt it. > Thank you. > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHa5lkACgkQrlYvE4MpobNRbwCeJiW2YsUZb1m57QpSK4TUfbW1 kykAn10eWe+GdA83Di0joo7o0r2jixjX =mzDe -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
