Chapter 4. Example Policy Reference
dhcpd
49
connect getopt setopt shutdown };
allow dhcpd_t self : unix_stream_socket { create \
ioctl read getattr write setattr append bind \
connect getopt setopt shutdown };
As a network service,
dhcpd
is allowed to open a TCP or UDP socket to send and receive
messages from any port. The attribute
port_type
covers a long list of ports:
dns_port_t
,
dhcpd_port_t
,
http_cache_port_t
,
port_t
,
reserved_port_t
,
http_port_t
,
pxe_port_t
,
smtp_port_t
,
mysqld_port_t
,
rndc_port_t
,
ntp_port_t
,
portmap_port_t
,
postgresql_port_t
,
snmp_port_t
,
syslogd_port_t
. The rule
looks like this:
allow dhcpd_t port_type:{ tcp_socket udp_socket } \
{ send_msg recv_msg };
This rule allows
dhcpd
to control the
dhcpd_t
type, that is, itself, for process signaling:
allow dhcpd_t self : process { sigchld sigkill sigstop \
signull signal fork };
dhcpd_exec_t
This is the file type for the
dhcpd
executable. This type is the entry point for the
dhcpd_t
domain.
dhcpd_port_t
The
dhcpd_port_t
type has one direct rule governing it:
allow dhcpd_t dhcpd_port_t : udp_socket name_bind;
The daemon with the domain of
dhcpd_t
, that is,
dhcpd
, has the permission to bind to the object
class of udp_socket, which opens a UDP port. Policy states that UDP port 67 is created with the
domain of
dhcpd_port_t
:
grep dhcpd_port_t $SELINUX_SRC/net_contexts
ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:\
dhcpd_port_t')
SELinux has controls for port binding, meaning it is able to allow or deny port binding requests
based on security labels. However, SELinux only controls attempts to bind to reserved ports,
which are ports less than 1024, and to ports outside of the local port range, which is set in
/proc/sys/net/ipv4/ip_local_port_range
.
If
dhcpd
tries to bind to any port other than 67 port that is reserved or outside of the local range,
the daemon is denied. This is because
dhcpd_t
is only allowed to bind to a port with the type of
dhcpd_port_t
, and only one port has that type, port 67.
dhcpd_state_t
This type
dhcpd_state_t
is the file type for the
dhcpd
lease file located at
/var/lib/dhcp/dhcpd.leases
. The
dhcpd
daemon is allowed to create, read, write, etc. a
file with the context of
dhcpd_state_t
:
allow dhcpd_t dhcpd_state_t : file { create ioctl read \
getattr lock write setattr append link unlink rename };
type_transition dhcpd_t dhcp_state_t : file dhcpd_state_t;
The second rule is a
type_transition
rule that comes from a macro defined
in
$SELINUX_SRC/macros/core_macros.te
and
used
in
the
dhcpd.te
file,
file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
.
This rule ensures that unless explicitly overwritten by the
dhcpd
daemon, when the daemon
creates a regular file (object class
file
) in a directory with the type
dhcpd_state_t
, the file
is automatically assigned the file context of
dhcp_state_t
. This allows the
dhcpd
daemon to
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved