Chapter 4. Example Policy Reference - dhcpd
This chapter provides an understanding of how the policy works with the
dhcpd daemon. This daemon ships as part of the dhcp
package. This chapter first discusses the locations and purposes of key
policy files, and then policy types are explained. This chapter serves as a
reference analysis that can be applied to all of the targeted daemons.
Analysis in this file results from direct investigation of the policy files
as well as extensive usage of apol, which is
discussed in Chapter 6 Tools for Manipulating and Analyzing SELinux.
This section covers the various top level files that comprise the policy
for dhcpd. Refer to Section 4.2 Policy Types - dhcpd for a description of what the types
are allowed to do.
This file defines the policy rules for the dhcpd domain,
dhcpd_t. These rules are discussed
in Section 4.2 Policy Types - dhcpd. Because the type enforcement
file calls macros that are defined elsewhere, the
dhcpd.te file is only the starting point for
the policy. The policy building process expands the macros into
many more lines of rules.
This defines the security context for files associated with the
dhcpd server daemon, assigning them one of the
/etc/dhcpd.conf -- system_u:object_r:dhcp_etc_t
/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t
/var/lib/dhcp(3)?/dhcpd\.leases.* -- \
/var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t
ifdef(`dhcp_defined', `', `
/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
As you are looking for dhcpd.fc, you see
there are a large number of file contexts files in
$SELINUX_POLICY/file_contexts/program/. Most of
these files are unused. The context files are not pulled into the
policy without a corresponding TE file in the
The context file contains an ifdef
statement; the purpose here is to make certain the shared directory
/var/lib/dhcp is available without declaring it
multiple times. This is discussed in detail in Example 3-1.