Greetz,

So we asked a question on another list about how to avoid storing credentials

to a DB in files for said Apache server.

It was found then a great solution from PHP Cookbook suggesting

to use an "Include" file readable only by root with credentials and Apache then reads on

startand stores credentials as variables.

I would like to know if SELinux can block this attack?

For example, an attacker gets a reverse shell as apache:apache user

and they try to connect to DB.

What domain would they be in at time of shell (httpd_t)?

Would the DB be confined to some other domain?

Could they try and connect to DB after having read credentials from unsecured config file?

Is there a domain transition.

Thank you.