Chapter 4. Example Policy Reference
dhcpd
51
allow dhcpd_t dhcpd_var_run_t : dir
{ read getattr lock \
search ioctl add_name remove_name write };
type_transition dhcpd_t var_run_t : file dhcpd_var_run_t;
dhcp_etc_t
The two direct rules using this type allow the
dhcpd_t
domain to read and get attributes on files
of the type
dhcp_etc_t
, as well as search directories of the same type. This means the daemon
cannot overwrite the configuration file. Indirect rules derive from the
dhcp_etc_t
type being
part of the
file_type
attribute set, along with
dhcpd_tmp_t
,
dhcpd_var_run_t
, and others:
allow dhcpd_t dhcp_etc_t : file { read getattr };
allow dhcpd_t dhcp_etc_t : dir search;
dhcp_state_t
In addition to being covered by the rules governing the
file_type
attribute, this file type has two
direct policy rules. The first allows the
dhcpd_t
domain to perform standard file system func
tions, such as read, write, and lock on directories, with the type
dhcp_state_t
. This directory is
defined as
/var/lib/dhcp/
in
$SELINUX_SRC/file_contexts/program/dhcpc.fc
, and
is where
dhcpd
stores its lease files. The second rule is the transition rule stating when the
dhcpd_t
domain creates a file in a directory labeled
dhcp_state_t
, this file gets a security
type of
dhcpd_state_t
:
allow dhcpd_t dhcp_state_t : dir { read getattr lock search \
ioctl add_name remove_name write };
type_transition dhcpd_t dhcp_state_t : file dhcpd_state_t;
Note
There are two distinct security contexts being discussed here: dhcp_state_t and
dhcpd_state_t.
dhcp_state_t is the type of the directory /var/lib/dhcp where both dhcpd and other clients
and daemons store DHCP lease information.
dhcpd_state_t is the type in the security label of a DHCP lease file created in /var/lib/dhcp
by the dhcpd daemon, running in the domain of dhcpd_t.
The dhcpd_state_t type is a derivative type, the way dhcpc_state_t derives from the dhcpc_t
domain in a stricter policy.
In the /var/lib/dhcp directory, the only allowed actions of the dhcpd_t domain are a series of
directory level operations. The domain cannot affect the files within unless those files are of the
type dhcpd_state_t:
allow dhcpd_t dhcpd_state_t:file { create ioctl read getattr lock \
write setattr append link unlink rename };
This separation allows the different DHCP applications to keep lease information in the same,
traditional directory, yet not be able to affect other DHCP program files.
4.3. Boolean Values for
dhcpd
SELinux has one Boolean for
dhcpd
:
dhcpd_disable_trans
. This is the standard Boolean for all
targeted daemons, allowing you to disable the transition from
unconfined_t
to
dhcpd_t
. The value
of this Boolean is set to
false
by default.
This Boolean can be changed via the system config securitylevel application or the
/usr/sbin/setsebool P dhcpd_disable_trans 1
command.
Booleans are explained in Section 3.2 Files and Directories of the Targeted Policy.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved