Chapter 4. Example Policy Reference - dhcpd
This chapter provides an understanding of how the policy works with the dhcpd daemon. This daemon ships as part of the dhcp package. This chapter first discusses the locations and purposes of key policy files, and then policy types are explained. This chapter serves as a reference analysis that can be applied to all of the targeted daemons. Analysis in this file results from direct investigation of the policy files as well as extensive usage of apol, which is discussed in Chapter 6 Tools for Manipulating and Analyzing SELinux.
4.1. Policy File Locations
This section covers the various top level files that comprise the policy for dhcpd. Refer to Section 4.2 Policy Types - dhcpd for a description of what the types are allowed to do.
- $SELINUX_POLICY/domains/program/dhcpd.te
This file defines the policy rules for the dhcpd domain, dhcpd_t. These rules are discussed in Section 4.2 Policy Types - dhcpd. Because the type enforcement file calls macros that are defined elsewhere, the dhcpd.te file is only the starting point for the policy. The policy building process expands the macros into many more lines of rules.
- $SELINUX_POLICY/file_contexts/program/dhcpd.fc
This defines the security context for files associated with the dhcpd server daemon, assigning them one of the dhcp_<*>_t types:
# dhcpd /etc/dhcpd.conf -- system_u:object_r:dhcp_etc_t /etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t /usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t /var/lib/dhcp(3)?/dhcpd\.leases.* -- \ system_u:object_r:dhcpd_state_t /var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t ifdef(`dhcp_defined', `', ` /var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t define(`dhcp_defined') ')
Note As you are looking for dhcpd.fc, you see there are a large number of file contexts files in $SELINUX_POLICY/file_contexts/program/. Most of these files are unused. The context files are not pulled into the policy without a corresponding TE file in the $SELINUX_POLICY/domains/ path.
The context file contains an ifdef statement; the purpose here is to make certain the shared directory /var/lib/dhcp is available without declaring it multiple times. This is discussed in detail in Example 3-1.