Chapter 4. Example Policy
Reference - dhcpd
This chapter provides an understanding of how the policy works
with the dhcpd daemon. This daemon ships
as part of the dhcp package. This chapter
first discusses the locations and purposes of key policy files, and
then policy types are explained. This chapter serves as a reference
analysis that can be applied to all of the targeted daemons.
Analysis in this file results from direct investigation of the
policy files as well as extensive usage of apol, which is discussed in Chapter 6 Tools for Manipulating
and Analyzing SELinux.
This section covers the various top level files that comprise
the policy for dhcpd. Refer to Section 4.2 Policy Types - dhcpd for a description of what the types
are allowed to do.
This file defines the policy rules for the dhcpd domain, dhcpd_t. These rules are discussed in
Section 4.2 Policy Types -
dhcpd. Because the type
enforcement file calls macros that are defined elsewhere, the
dhcpd.te file is only the starting point
for the policy. The policy building process expands the macros into
many more lines of rules.
This defines the security context for files associated with the
dhcpd server daemon, assigning them one of
the dhcp_<*>_t types:
/etc/dhcpd.conf -- system_u:object_r:dhcp_etc_t
/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t
/var/lib/dhcp(3)?/dhcpd\.leases.* -- \
/var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t
ifdef(`dhcp_defined', `', `
/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
As you are looking for dhcpd.fc, you
see there are a large number of file contexts files in $SELINUX_POLICY/file_contexts/program/. Most of
these files are unused. The context files are not pulled into the
policy without a corresponding TE file in the $SELINUX_POLICY/domains/ path.
The context file contains an ifdef statement; the purpose here is to
make certain the shared directory /var/lib/dhcp is available without declaring it
multiple times. This is discussed in detail in Example