-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/03/2013 12:21 PM, Robert Gabriel wrote:
Greetz,
So we asked a question on another list about how to avoid storing
credentials
to a DB in files for said Apache server.
It was found then a great solution from PHP Cookbook suggesting
to use an "Include" file readable only by root with credentials and Apache
then reads on
startand stores credentials as variables.
I would like to know if SELinux can block this attack?
SELinux will only allow
httpd_t to read files with the correct label, so if
the credentials had a label the httpd_t was not allowed to read, SELinux would
block it.
For example, an attacker gets a reverse shell as apache:apache user
and they try to connect to DB.
What domain would they be in at time of shell (httpd_t)?
php scripts would ordinarily run as httpd_t.
Would the DB be confined to some other domain?
If DB is a running process like mysql or postgresql then yes. If the DB is
started via init and SELinux does not know about it, it will run as initrc_t.
Could they try and connect to DB after having read credentials from
unsecured config file?
They could try, but if httpd_t is not allowed to communicate with the process
that is running the DB then SELinux would block it.
Is there a domain transition.
Doubt it.
Thank you.
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlHa5lkACgkQrlYvE4MpobNRbwCeJiW2YsUZb1m57QpSK4TUfbW1
kykAn10eWe+GdA83Di0joo7o0r2jixjX
=mzDe
-----END PGP SIGNATURE-----