Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Chapter 4. Example Policy Reference - dhcpd

This chapter provides an understanding of how the policy works with the dhcpd daemon. This daemon ships as part of the dhcp package. This chapter first discusses the locations and purposes of key policy files, and then policy types are explained. This chapter serves as a reference analysis that can be applied to all of the targeted daemons. Analysis in this file results from direct investigation of the policy files as well as extensive usage of apol, which is discussed in Chapter 6 Tools for Manipulating and Analyzing SELinux.

4.1. Policy File Locations

This section covers the various top level files that comprise the policy for dhcpd. Refer to Section 4.2 Policy Types - dhcpd for a description of what the types are allowed to do.


This file defines the policy rules for the dhcpd domain, dhcpd_t. These rules are discussed in Section 4.2 Policy Types - dhcpd. Because the type enforcement file calls macros that are defined elsewhere, the dhcpd.te file is only the starting point for the policy. The policy building process expands the macros into many more lines of rules.


This defines the security context for files associated with the dhcpd server daemon, assigning them one of the dhcp_<*>_t types:

# dhcpd
/etc/dhcpd.conf		--	system_u:object_r:dhcp_etc_t
/etc/dhcp3(/.*)?		system_u:object_r:dhcp_etc_t
/usr/sbin/dhcpd.*	--	system_u:object_r:dhcpd_exec_t
/var/lib/dhcp(3)?/dhcpd\.leases.* -- \
/var/run/dhcpd\.pid	-d	system_u:object_r:dhcpd_var_run_t
ifdef(`dhcp_defined', `', `
/var/lib/dhcp(3)?	-d	system_u:object_r:dhcp_state_t


As you are looking for dhcpd.fc, you see there are a large number of file contexts files in $SELINUX_POLICY/file_contexts/program/. Most of these files are unused. The context files are not pulled into the policy without a corresponding TE file in the $SELINUX_POLICY/domains/ path.

The context file contains an ifdef statement; the purpose here is to make certain the shared directory /var/lib/dhcp is available without declaring it multiple times. This is discussed in detail in Example 3-1.

  Published under the terms of the GNU General Public License Design by Interspire