48


Chapter 4. Example Policy Reference  


dhcpd


4.2. Policy Types  


dhcpd


This section discusses the types associated with the


dhcpd


policy.


Note


SELinux policy uses a number of macros written in the m4 macro language to make policy writing


easier. In a type enforcement file such as dhcpd.te, macros are used extensively to call common


capabilities for subjects and targets. These are discussed in Section 2.9 Policy Macros and Section


3.4 Common Macros in the Targeted Policy.


For the purposes of dissecting the dhcpd policy, this section is based on what is found in the


policy.conf file. Since this file is created by the build process, the macros have been expanded


entirely. It takes some practice, but soon you can find and understand the macros and the associated


rulesets in the TE files from $SELINUX_SRC/domain/programs/.


dhcpd_t


This is the main, top level domain for the


dhcpd


daemon. Nearly every rule in


$SELINUX_SRC/domain/programs/dhcpd.te


deals with this type, most notably the


macros that expand into numerous rules. A complete list can be obtained using the apol tool.


This is discussed further in Chapter 6 Tools for Manipulating and Analyzing SELinux. Some


highlighted rules are:


Various specific manipulations of the


dhcpd_*_t


domains, as explained below in further ex 


amples under each context..


Network rules necessary for


dhcpd


to do its work, such as


tcp_recv


,


udp_recv


, and


rawip_recv


to network interfaces. Some examples are:


allow dhcpd_t netif_type : netif { tcp_send udp_send


rawip_send };


allow dhcpd_t node_type : node { tcp_recv udp_recv \


rawip_recv };


Socket rules needed by


dhcpd


to create, listen, connect, accept, bind, read, write,


control input and output (


ioctl


), get (


getattr


) and set (


setattr


) attributes, send


(


send_msg


) and receive (


recv_msg


) messages, get (


getopt


) and set (


setopt


)


command


options, and so forth. Socket


objects


controlled


are


tcp_socket


,


udp_socket


,


netlink_route_socket


,


rawip_socket


,


unix_dgram_socket


,


unix_stream_socket


, and


reserved_port_socket


. These are all object classes that


SELinux controls the access to. Some examples are:


allow dhcpd_t node_type : { tcp_socket udp_socket } \


node_bind ;


allow dhcpd_t port_type : { tcp_socket udp_socket } \


{ send_msg recv_msg };


allow dhcpd_t port_type : { tcp_socket udp_socket } \


{ send_msg recv_msg };


allow dhcpd_t self : rawip_socket { create ioctl read \


getattr write setattr append bind connect getopt \


setopt shutdown };


allow dhcpd_t self : tcp_socket { create ioctl read \


getattr write setattr append bind connect getopt \


setopt shutdown listen accept };


allow dhcpd_t self : udp_socket { create ioctl read \


getattr write setattr append bind connect getopt \


setopt shutdown };


allow dhcpd_t self : unix_dgram_socket { create \


ioctl read getattr write setattr append bind \








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved