1initrc_selinux(8) SELinux Policy initrc initrc_selinux(8)
2
6 initrc_selinux - Security Enhanced Linux Policy for the initrc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the initrc processes via flexible
11 mandatory access control.
12 The initrc processes execute with the initrc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep initrc_t
20
24 The initrc_t SELinux type can be entered via the sslh_initrc_exec_t,
25 zoneminder_initrc_exec_t, mongod_initrc_exec_t, mdadm_initrc_exec_t,
26 cyphesis_initrc_exec_t, pcp_pmmgr_initrc_exec_t, polipo_initrc_exec_t,
27 uuidd_initrc_exec_t, innd_initrc_exec_t, lldpad_initrc_exec_t,
28 glance_registry_initrc_exec_t, gpm_initrc_exec_t, icecast_ini‐
29 trc_exec_t, cyrus_initrc_exec_t, couchdb_initrc_exec_t, abrt_ini‐
30 trc_exec_t, jabberd_initrc_exec_t, syslogd_initrc_exec_t, osad_ini‐
31 trc_exec_t, puppetagent_initrc_exec_t, pingd_initrc_exec_t, call‐
32 weaver_initrc_exec_t, cobblerd_initrc_exec_t, ddclient_initrc_exec_t,
33 sshd_initrc_exec_t, NetworkManager_initrc_exec_t, l2tpd_initrc_exec_t,
34 cgred_initrc_exec_t, ajaxterm_initrc_exec_t, postfix_initrc_exec_t,
35 pcp_pmwebd_initrc_exec_t, pki_tps_script_exec_t, pcp_pmproxy_ini‐
36 trc_exec_t, privoxy_initrc_exec_t, neutron_initrc_exec_t, openhpid_ini‐
37 trc_exec_t, likewise_initrc_exec_t, automount_initrc_exec_t, nae‐
38 mon_initrc_exec_t, mpd_initrc_exec_t, afs_initrc_exec_t, dictd_ini‐
39 trc_exec_t, sanlock_initrc_exec_t, slpd_initrc_exec_t,
40 dhcpc_helper_exec_t, isnsd_initrc_exec_t, amtu_initrc_exec_t,
41 uucpd_initrc_exec_t, rngd_initrc_exec_t, cfengine_initrc_exec_t,
42 redis_initrc_exec_t, pki_ra_script_exec_t, mscan_initrc_exec_t, zab‐
43 bix_initrc_exec_t, apmd_initrc_exec_t, rpcbind_initrc_exec_t,
44 canna_initrc_exec_t, psad_initrc_exec_t, foghorn_initrc_exec_t,
45 nfsd_initrc_exec_t, bcfg2_initrc_exec_t, saslauthd_initrc_exec_t,
46 glance_api_initrc_exec_t, sendmail_initrc_exec_t, minidlna_ini‐
47 trc_exec_t, vdagentd_initrc_exec_t, ksmtuned_initrc_exec_t,
48 svnserve_initrc_exec_t, ypbind_initrc_exec_t, radiusd_initrc_exec_t,
49 clvmd_initrc_exec_t, asterisk_initrc_exec_t, gpsd_initrc_exec_t, rhsm‐
50 certd_initrc_exec_t, puppetmaster_initrc_exec_t, pcp_plugin_ini‐
51 trc_exec_t, shell_exec_t, hddtemp_initrc_exec_t, nagios_initrc_exec_t,
52 sysstat_initrc_exec_t, rpcd_initrc_exec_t, fetchmail_initrc_exec_t,
53 samba_initrc_exec_t, pads_initrc_exec_t, virtd_initrc_exec_t,
54 piranha_pulse_initrc_exec_t, portmap_initrc_exec_t, kerberos_ini‐
55 trc_exec_t, mcelog_initrc_exec_t, firewalld_initrc_exec_t, cvs_ini‐
56 trc_exec_t, fsdaemon_initrc_exec_t, named_initrc_exec_t, sblim_ini‐
57 trc_exec_t, pkcs_slotd_initrc_exec_t, pcp_pmcd_initrc_exec_t,
58 boinc_initrc_exec_t, keystone_initrc_exec_t, rtkit_daemon_ini‐
59 trc_exec_t, crond_initrc_exec_t, avahi_initrc_exec_t, usr_t,
60 fcoemon_initrc_exec_t, snmpd_initrc_exec_t, auditd_initrc_exec_t,
61 squid_initrc_exec_t, iodined_initrc_exec_t, exim_initrc_exec_t,
62 pcscd_initrc_exec_t, fail2ban_initrc_exec_t, bacula_initrc_exec_t,
63 wdmd_initrc_exec_t, sensord_initrc_exec_t, vnstatd_initrc_exec_t, var‐
64 nishd_initrc_exec_t, initrc_exec_t, ipsec_initrc_exec_t, lircd_ini‐
65 trc_exec_t, certmonger_initrc_exec_t, rwho_initrc_exec_t, tgtd_ini‐
66 trc_exec_t, irqbalance_initrc_exec_t, apcupsd_initrc_exec_t,
67 mysqld_initrc_exec_t, oracleasm_initrc_exec_t, rhnsd_initrc_exec_t,
68 glusterd_initrc_exec_t, cluster_initrc_exec_t, memcached_initrc_exec_t,
69 mrtg_initrc_exec_t, vhostmd_initrc_exec_t, ccs_initrc_exec_t, virt‐
70 logd_initrc_exec_t, mon_statd_initrc_exec_t, glance_scrubber_ini‐
71 trc_exec_t, hypervkvp_initrc_exec_t, dspam_initrc_exec_t, zebra_ini‐
72 trc_exec_t, bin_t, nis_initrc_exec_t, ulogd_initrc_exec_t,
73 entropyd_initrc_exec_t, soundd_initrc_exec_t, chronyd_initrc_exec_t,
74 certmaster_initrc_exec_t, bitlbee_initrc_exec_t, tuned_initrc_exec_t,
75 shorewall_initrc_exec_t, collectd_initrc_exec_t, nslcd_initrc_exec_t,
76 snort_initrc_exec_t, condor_initrc_exec_t, spamd_initrc_exec_t,
77 pppd_initrc_exec_t, dhcpd_initrc_exec_t, minissdpd_initrc_exec_t,
78 smsd_initrc_exec_t, ntop_initrc_exec_t, cmirrord_initrc_exec_t, pre‐
79 lude_initrc_exec_t, aiccu_initrc_exec_t, rabbitmq_initrc_exec_t,
80 ctdbd_initrc_exec_t, roundup_initrc_exec_t, ftpd_initrc_exec_t,
81 tcsd_initrc_exec_t, ricci_initrc_exec_t, cgconfig_initrc_exec_t,
82 cupsd_initrc_exec_t, qpidd_initrc_exec_t, ntpd_initrc_exec_t, iwhd_ini‐
83 trc_exec_t, varnishlog_initrc_exec_t, sssd_initrc_exec_t, nscd_ini‐
84 trc_exec_t, iptables_initrc_exec_t, portreserve_initrc_exec_t, open‐
85 vpn_initrc_exec_t, cpuplug_initrc_exec_t, kismet_initrc_exec_t, zab‐
86 bix_agent_initrc_exec_t, smokeping_initrc_exec_t, kdump_initrc_exec_t,
87 denyhosts_initrc_exec_t, pcp_pmlogger_initrc_exec_t, dovecot_ini‐
88 trc_exec_t, openct_initrc_exec_t, httpd_initrc_exec_t, ciped_ini‐
89 trc_exec_t, conntrackd_initrc_exec_t, slapd_initrc_exec_t, blkmapd_ini‐
90 trc_exec_t, postgrey_initrc_exec_t, dlm_controld_initrc_exec_t, watch‐
91 dog_initrc_exec_t, mysqlmanagerd_initrc_exec_t, dnsmasq_initrc_exec_t,
92 gdomap_initrc_exec_t, acct_initrc_exec_t, pcp_pmie_initrc_exec_t,
93 drbd_initrc_exec_t, setrans_initrc_exec_t, bluetooth_initrc_exec_t,
94 tor_initrc_exec_t, antivirus_initrc_exec_t, arpwatch_initrc_exec_t,
95 munin_initrc_exec_t, radvd_initrc_exec_t, postgresql_initrc_exec_t file
96 types.
97 The default entrypoint paths for the initrc_t domain are the following:
99 All executeables with the default executable label, usually stored in
101 /usr/bin and /usr/sbin. /etc/rc.d/init.d/sslh, /etc/rc.d/init.d/zone‐
102 minder, /etc/rc.d/init.d/mongod, /etc/rc.d/init.d/mongos,
103 /etc/rc.d/init.d/mdmonitor, /etc/rc.d/init.d/cyphesis,
104 /etc/rc.d/init.d/pmmgr, /etc/rc.d/init.d/polipo,
105 /etc/rc.d/init.d/uuidd, /etc/rc.d/init.d/innd, /etc/rc.d/init.d/lldpad,
106 /etc/rc.d/init.d/openstack-glance-registry, /etc/rc.d/init.d/gpm,
107 /etc/rc.d/init.d/icecast, /etc/rc.d/init.d/cyrus.*,
108 /etc/rc.d/init.d/couchdb, /etc/rc.d/init.d/abrt, /etc/rc.d/init.d/jab‐
109 berd, /etc/rc.d/init.d/rsyslog, /etc/rc.d/init.d/osad,
110 /etc/rc.d/init.d/puppet, /etc/rc.d/init.d/whatsup-pingd,
111 /etc/rc.d/init.d/callweaver, /etc/rc.d/init.d/cobblerd,
112 /etc/rc.d/init.d/ddclient, /etc/rc.d/init.d/sshd, /etc/NetworkMan‐
113 ager/dispatcher.d(/.*)?, /etc/rc.d/init.d/wicd,
114 /etc/rc.d/init.d/.*l2tpd, /etc/rc.d/init.d/cgred,
115 /etc/rc.d/init.d/ajaxterm, /etc/rc.d/init.d/postfix,
116 /etc/rc.d/init.d/pmwebd, /etc/rc.d/init.d/pmproxy,
117 /etc/rc.d/init.d/privoxy, /etc/rc.d/init.d/neutron.*,
118 /etc/rc.d/init.d/quantum.*, /etc/rc.d/init.d/openhpid,
119 /etc/rc.d/init.d/lwiod, /etc/rc.d/init.d/lwsmd,
120 /etc/rc.d/init.d/lsassd, /etc/rc.d/init.d/lwregd,
121 /etc/rc.d/init.d/dcerpcd, /etc/rc.d/init.d/srvsvcd,
122 /etc/rc.d/init.d/likewise, /etc/rc.d/init.d/eventlogd,
123 /etc/rc.d/init.d/netlogond, /etc/rc.d/init.d/autofs,
124 /etc/rc.d/init.d/naemon, /etc/rc.d/init.d/mpd,
125 /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client,
126 /etc/rc.d/init.d/dictd, /etc/rc.d/init.d/sanlock,
127 /etc/rc.d/init.d/slpd, /etc/firestarter/firestarter.sh,
128 /etc/rc.d/init.d/isnsd, /etc/rc.d/init.d/amtu, /etc/rc.d/init.d/uucp,
129 /etc/rc.d/init.d/rngd, /etc/rc.d/init.d/((cf-serverd)|(cf-moni‐
130 tord)|(cf-execd)), /etc/rc.d/init.d/redis, /etc/rc.d/init.d/MailScan‐
131 ner, /etc/rc.d/init.d/(zabbix|zabbix-server), /etc/rc.d/init.d/acpid,
132 /etc/rc.d/init.d/rpcbind, /etc/rc.d/init.d/canna,
133 /etc/rc.d/init.d/psad, /etc/rc.d/init.d/nfs,
134 /etc/rc.d/init.d/bcfg2-server, /etc/rc.d/init.d/sasl,
135 /etc/rc.d/init.d/openstack-glance-api, /etc/rc.d/init.d/sendmail,
136 /etc/rc.d/init.d/minidlna, /etc/rc.d/init.d/spice-vdagentd,
137 /etc/rc.d/init.d/ksmtuned, /etc/rc.d/init.d/svnserve,
138 /etc/rc.d/init.d/ypbind, /etc/rc.d/init.d/radiusd,
139 /etc/rc.d/init.d/asterisk, /etc/rc.d/init.d/gpsd,
140 /etc/rc.d/init.d/rhsmcertd, /etc/rc.d/init.d/puppetmaster, /bin/d?ash,
141 /bin/ksh.*, /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*,
142 /bin/esh, /bin/bash, /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh,
143 /bin/yash, /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash,
144 /usr/bin/fish, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh,
145 /usr/bin/yash, /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh,
146 /usr/bin/scponly, /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-
147 shell, /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-
148 bridge, /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell,
149 /etc/rc.d/init.d/hddtemp, /etc/rc.d/init.d/nrpe,
150 /etc/rc.d/init.d/nagios, /etc/rc.d/init.d/sysstat,
151 /etc/rc.d/init.d/nfslock, /etc/rc.d/init.d/rpcidmapd,
152 /etc/rc.d/init.d/fetchmail, /etc/rc.d/init.d/nmb, /etc/rc.d/init.d/smb,
153 /etc/rc.d/init.d/winbind, /etc/rc.d/init.d/pads, /etc/rc.d/init.d/lib‐
154 virtd, /etc/rc.d/init.d/pulse, /etc/rc.d/init.d/portmap,
155 /etc/rc.d/init.d/kprop, /etc/rc.d/init.d/kadmind,
156 /etc/rc.d/init.d/krb524d, /etc/rc.d/init.d/krb5kdc,
157 /etc/rc.d/init.d/mcelog, /etc/rc.d/init.d/firewalld,
158 /etc/rc.d/init.d/cvs, /etc/rc.d/init.d/(smartd|smartmontools),
159 /etc/rc.d/init.d/named, /etc/rc.d/init.d/unbound,
160 /etc/rc.d/init.d/named-sdb, /etc/rc.d/init.d/gatherer,
161 /etc/rc.d/init.d/sblim-sfcbd, /etc/rc.d/init.d/pkcsslotd,
162 /etc/rc.d/init.d/pmcd, /etc/rc.d/init.d/boinc-client,
163 /etc/rc.d/init.d/openstack-keystone, /etc/rc.d/init.d/rtkit-daemon,
164 /etc/rc.d/init.d/atd, /etc/rc.d/init.d/avahi.*, /opt/.*, /usr/.*,
165 /emul/.*, /export(/.*)?, /ostree(/.*)?, /usr/doc(/.*)?/lib(/.*)?,
166 /usr/inclu.e(/.*)?, /usr/share/rpm(/.*)?,
167 /usr/share/doc(/.*)?/README.*, /usr/lib/modules(/.*)/vmlinuz,
168 /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysimage(/.*)?,
169 /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul, /etc/rc.d/init.d/fcoe,
170 /etc/rc.d/init.d/(snmpd|snmptrapd), /etc/rc.d/init.d/auditd,
171 /etc/rc.d/init.d/squid, /etc/rc.d/init.d/((iodined)|(iodine-server)),
172 /etc/rc.d/init.d/exim, /etc/rc.d/init.d/pcscd,
173 /etc/rc.d/init.d/fail2ban, /etc/rc.d/init.d/bacula.*,
174 /etc/rc.d/init.d/wdmd, /etc/rc.d/init.d/sensord,
175 /etc/rc.d/init.d/vnstat, /etc/rc.d/init.d/varnish, /etc/init.d/.*,
176 /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*, /opt/nfast/sbin/init.d-nci‐
177 pher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*,
178 /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*),
179 /etc/rc.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl,
180 /usr/sbin/apachectl, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty,
181 /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec,
182 /usr/share/system-config-services/system-config-services-mechanism.py,
183 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
184 /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/lirc,
185 /etc/rc.d/init.d/certmonger, /etc/rc.d/init.d/rwhod,
186 /etc/rc.d/init.d/tgtd, /etc/rc.d/init.d/irqbalance,
187 /etc/rc.d/init.d/apcupsd, /etc/rc.d/init.d/mysqld,
188 /etc/rc.d/init.d/oracleasm, /etc/rc.d/init.d/rhnsd,
189 /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd, /etc/rc.d/init.d/ope‐
190 nais, /etc/rc.d/init.d/corosync, /etc/rc.d/init.d/cpglockd,
191 /etc/rc.d/init.d/heartbeat, /etc/rc.d/init.d/pacemaker,
192 /etc/rc.d/init.d/rgmanager, /etc/rc.d/init.d/memcached,
193 /etc/rc.d/init.d/mrtg, /etc/rc.d/init.d/vhostmd,
194 /etc/rc.d/init.d/((ccs)|(ccsd)), /etc/rc.d/init.d/virtlogd,
195 /etc/rc.d/init.d/mon_statd, /etc/rc.d/init.d/openstack-glance-scrubber,
196 /etc/rc.d/init.d/hypervkvpd, /etc/rc.d/init.d/dspam,
197 /etc/rc.d/init.d/bgpd, /etc/rc.d/init.d/ripd, /etc/rc.d/init.d/isisd,
198 /etc/rc.d/init.d/ospfd, /etc/rc.d/init.d/zebra,
199 /etc/rc.d/init.d/babeld, /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/rip‐
200 ngd, /etc/rc.d/init.d/ypserv, /etc/rc.d/init.d/ypxfrd,
201 /etc/rc.d/init.d/yppasswd, /etc/rc.d/init.d/ulogd,
202 /etc/rc.d/init.d/((audio-entropyd)|(haveged)), /etc/rc.d/init.d/nasd,
203 /etc/rc.d/init.d/chronyd, /etc/rc.d/init.d/certmaster,
204 /etc/rc.d/init.d/bitlbee, /etc/rc.d/init.d/tuned,
205 /etc/rc.d/init.d/shorewall.*, /etc/rc.d/init.d/collectd,
206 /etc/rc.d/init.d/nslcd, /etc/rc.d/init.d/snortd, /etc/rc.d/init.d/con‐
207 dor, /etc/rc.d/init.d/mimedefang.*, /etc/rc.d/init.d/spamd,
208 /etc/rc.d/init.d/pyzord, /etc/rc.d/init.d/spampd,
209 /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp,
210 /etc/rc.d/init.d/dhcpd(6)?, /etc/rc.d/init.d/dhcrelay(6)?,
211 /etc/rc.d/init.d/minissdpd, /etc/rc.d/init.d/smsd,
212 /etc/rc.d/init.d/ntop, /etc/rc.d/init.d/cmirrord, /etc/rc.d/init.d/pre‐
213 lude-lml, /etc/rc.d/init.d/prelude-manager, /etc/rc.d/init.d/prelude-
214 correlator, /etc/rc.d/init.d/aiccu, /etc/rc.d/init.d/rabbitmq-server,
215 /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/roundup,
216 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd,
217 /etc/rc.d/init.d/(tcsd|trousers), /etc/rc.d/init.d/ricci,
218 /etc/rc.d/init.d/cgconfig, /etc/rc.d/init.d/cups,
219 /etc/rc.d/init.d/qpidd, /etc/rc.d/init.d/ntpd, /etc/rc.d/init.d/iwhd,
220 /etc/rc.d/init.d/varnishlog, /etc/rc.d/init.d/varnishncsa,
221 /etc/rc.d/init.d/sssd, /etc/rc.d/init.d/nscd,
222 /etc/rc.d/init.d/ip6?tables, /etc/rc.d/init.d/ebtables,
223 /etc/rc.d/init.d/nftables, /etc/rc.d/init.d/portreserve,
224 /etc/rc.d/init.d/openvpn, /etc/rc.d/init.d/cpuplugd,
225 /etc/rc.d/init.d/kismet.*, /etc/rc.d/init.d/zabbix-agentd,
226 /etc/rc.d/init.d/smokeping, /etc/rc.d/init.d/kdump,
227 /etc/rc.d/init.d/denyhosts, /etc/rc.d/init.d/pmlogger,
228 /etc/rc.d/init.d/dovecot, /etc/rc.d/init.d/openct, /etc/init.d/chero‐
229 kee, /etc/rc.d/init.d/httpd, /etc/rc.d/init.d/lighttpd,
230 /etc/rc.d/init.d/ciped.*, /etc/rc.d/init.d/slapd,
231 /etc/rc.d/init.d/blkmapd, /etc/rc.d/init.d/postgrey,
232 /etc/rc.d/init.d/watchdog, /etc/rc.d/init.d/mysqlmanager,
233 /etc/rc.d/init.d/dnsmasq, /etc/rc.d/init.d/gdomap,
234 /etc/rc.d/init.d/psacct, /etc/rc.d/init.d/pmie, /etc/rc.d/init.d/drbd,
235 /etc/rc.d/init.d/mcstrans, /etc/rc.d/init.d/dund,
236 /etc/rc.d/init.d/pand, /etc/rc.d/init.d/bluetooth,
237 /etc/rc.d/init.d/tor, /etc/rc.d/init.d/clamd.*,
238 /etc/rc.d/init.d/amavis, /etc/rc.d/init.d/amavisd-snmp,
239 /etc/rc.d/init.d/arpwatch, /etc/rc.d/init.d/munin-node,
240 /etc/rc.d/init.d/radvd, /etc/rc.d/init.d/(se)?postgresql
241
243 SELinux defines process types (domains) for each process running on the
244 system
245 You can see the context of a process using the -Z option to ps
247 Policy governs the access confined processes have to files. SELinux
249 initrc policy is very flexible allowing users to setup their initrc
250 processes in as secure a method as possible.
251 The following process types are defined for initrc:
253 initrc_t
255 Note: semanage permissive -a initrc_t can be used to make the process
257 type initrc_t permissive. SELinux does not deny access to permissive
258 process types, but the AVC (SELinux denials) messages are still gener‐
259 ated.
260
263 SELinux policy is customizable based on least access required. initrc
264 policy is extremely flexible and has several booleans that allow you to
265 manipulate the policy and run initrc with the tightest access possible.
266 If you want to allow users to resolve user passwd entries directly from
270 ldap rather then using a sssd server, you must turn on the authlo‐
271 gin_nsswitch_use_ldap boolean. Disabled by default.
272 setsebool -P authlogin_nsswitch_use_ldap 1
274 If you want to deny user domains applications to map a memory region as
278 both executable and writable, this is dangerous and the executable
279 should be reported in bugzilla, you must turn on the deny_execmem bool‐
280 ean. Enabled by default.
281 setsebool -P deny_execmem 1
283 If you want to allow all domains to execute in fips_mode, you must turn
287 on the fips_mode boolean. Enabled by default.
288 setsebool -P fips_mode 1
290 If you want to allow confined applications to run with kerberos, you
294 must turn on the kerberos_enabled boolean. Enabled by default.
295 setsebool -P kerberos_enabled 1
297 If you want to control the ability to mmap a low area of the address
301 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
302 the mmap_low_allowed boolean. Disabled by default.
303 setsebool -P mmap_low_allowed 1
305 If you want to allow system to run with NIS, you must turn on the
309 nis_enabled boolean. Disabled by default.
310 setsebool -P nis_enabled 1
312 If you want to allow confined applications to use nscd shared memory,
316 you must turn on the nscd_use_shm boolean. Enabled by default.
317 setsebool -P nscd_use_shm 1
319 If you want to disable kernel module loading, you must turn on the
323 secure_mode_insmod boolean. Enabled by default.
324 setsebool -P secure_mode_insmod 1
326 If you want to allow unconfined executables to make their heap memory
330 executable. Doing this is a really bad idea. Probably indicates a
331 badly coded executable, but could indicate an attack. This executable
332 should be reported in bugzilla, you must turn on the selin‐
333 uxuser_execheap boolean. Disabled by default.
334 setsebool -P selinuxuser_execheap 1
336 If you want to allow unconfined executables to make their stack exe‐
340 cutable. This should never, ever be necessary. Probably indicates a
341 badly coded executable, but could indicate an attack. This executable
342 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
343 stack boolean. Enabled by default.
344 setsebool -P selinuxuser_execstack 1
346
350 The SELinux process type initrc_t can manage files labeled with the
351 following file types. The paths listed are the default paths for these
352 file types. Note the processes UID still need to have DAC permissions.
353 file_type
355 all files on the system
357
360 SELinux requires files to have an extended attribute to define the file
361 type.
362 You can see the context of a file using the -Z option to ls
364 Policy governs the access confined processes have to these files.
366 SELinux initrc policy is very flexible allowing users to setup their
367 initrc processes in as secure a method as possible.
368 STANDARD FILE CONTEXT
370 SELinux defines the file context types for the initrc, if you wanted to
372 store files with these types in a diffent paths, you need to execute
373 the semanage command to sepecify alternate labeling and then use
374 restorecon to put the labels on disk.
375 semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
377 restorecon -R -v /srv/myinitrc_content
378 Note: SELinux often uses regular expressions to specify labels that
380 match multiple files.
381 The following file types are defined for initrc:
383 initrc_devpts_t
387 - Set files with the initrc_devpts_t type, if you want to treat the
389 files as initrc devpts data.
390 initrc_exec_t
394 - Set files with the initrc_exec_t type, if you want to transition an
396 executable to the initrc_t domain.
397 Paths:
400 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
401 /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*,
402 /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*,
403 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
404 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl,
405 /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty,
406 /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-
407 ipsec, /usr/share/system-config-services/system-config-services-
408 mechanism.py
409 initrc_state_t
412 - Set files with the initrc_state_t type, if you want to treat the
414 files as initrc state data.
415 initrc_tmp_t
419 - Set files with the initrc_tmp_t type, if you want to store initrc
421 temporary files in the /tmp directories.
422 initrc_var_log_t
426 - Set files with the initrc_var_log_t type, if you want to treat the
428 data as initrc var log data, usually stored under the /var/log direc‐
429 tory.
430 initrc_var_run_t
434 - Set files with the initrc_var_run_t type, if you want to store the
436 initrc files under the /run or /var/run directory.
437 Paths:
440 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
441 /var/run/setmixer_flag
442 Note: File context can be temporarily modified with the chcon command.
445 If you want to permanently change the file context you need to use the
446 semanage fcontext command. This will modify the SELinux labeling data‐
447 base. You will need to use restorecon to apply the labels.
448
451 semanage fcontext can also be used to manipulate default file context
452 mappings.
453 semanage permissive can also be used to manipulate whether or not a
455 process type is permissive.
456 semanage module can also be used to enable/disable/install/remove pol‐
458 icy modules.
459 semanage boolean can also be used to manipulate the booleans
461 system-config-selinux is a GUI tool available to customize SELinux pol‐
464 icy settings.
465
468 This manual page was auto-generated using sepolicy manpage .
469
472 selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepol‐
473 icy(8), setsebool(8)
474initrc 19-10-08 initrc_selinux(8)