1init_selinux(8) SELinux Policy init init_selinux(8)
2
6 init_selinux - Security Enhanced Linux Policy for the init processes
7
9 Security-Enhanced Linux secures the init processes via flexible manda‐
10 tory access control.
11 The init processes execute with the init_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep init_t
19
23 The init_t SELinux type can be entered via the init_exec_t,
24 shell_exec_t file types.
25 The default entrypoint paths for the init_t domain are the following:
27 /sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*,
29 /usr/lib/systemd/system-generators/[^/]*, /bin/systemd, /sbin/upstart,
30 /usr/bin/systemd, /usr/sbin/upstart, /bin/d?ash, /bin/ksh.*,
31 /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh,
32 /bin/bash, /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
33 /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash, /usr/bin/fish,
34 /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
35 /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
36 /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-shell,
37 /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
38 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell
39
41 SELinux defines process types (domains) for each process running on the
42 system
43 You can see the context of a process using the -Z option to ps
45 Policy governs the access confined processes have to files. SELinux
47 init policy is very flexible allowing users to setup their init pro‐
48 cesses in as secure a method as possible.
49 The following process types are defined for init:
51 init_t, initrc_t
53 Note: semanage permissive -a init_t can be used to make the process
55 type init_t permissive. SELinux does not deny access to permissive
56 process types, but the AVC (SELinux denials) messages are still gener‐
57 ated.
58
61 SELinux policy is customizable based on least access required. init
62 policy is extremely flexible and has several booleans that allow you to
63 manipulate the policy and run init with the tightest access possible.
64 If you want to allow users to resolve user passwd entries directly from
68 ldap rather then using a sssd server, you must turn on the authlo‐
69 gin_nsswitch_use_ldap boolean. Disabled by default.
70 setsebool -P authlogin_nsswitch_use_ldap 1
72 If you want to deny all system processes and Linux users to use blue‐
76 tooth wireless technology, you must turn on the deny_bluetooth boolean.
77 Enabled by default.
78 setsebool -P deny_bluetooth 1
80 If you want to allow all domains to execute in fips_mode, you must turn
84 on the fips_mode boolean. Enabled by default.
85 setsebool -P fips_mode 1
87 If you want to allow confined applications to run with kerberos, you
91 must turn on the kerberos_enabled boolean. Disabled by default.
92 setsebool -P kerberos_enabled 1
94 If you want to allow system to run with NIS, you must turn on the
98 nis_enabled boolean. Disabled by default.
99 setsebool -P nis_enabled 1
101 If you want to allow confined applications to use nscd shared memory,
105 you must turn on the nscd_use_shm boolean. Disabled by default.
106 setsebool -P nscd_use_shm 1
108 If you want to disable kernel module loading, you must turn on the
112 secure_mode_insmod boolean. Enabled by default.
113 setsebool -P secure_mode_insmod 1
115 If you want to allow create vbox modules during startup new kernel, you
119 must turn on the use_virtualbox boolean. Disabled by default.
120 setsebool -P use_virtualbox 1
122
126 The SELinux process type init_t can manage files labeled with the fol‐
127 lowing file types. The paths listed are the default paths for these
128 file types. Note the processes UID still need to have DAC permissions.
129 auditd_etc_t
131 /etc/audit(/.*)?
133 binfmt_misc_fs_t
135 boolean_type
138 bpf_t
141 /sys/fs/bpf
143 cgroup_t
145 /sys/fs/cgroup
147 consolekit_log_t
149 /var/log/ConsoleKit(/.*)?
151 data_home_t
153 /root/.local/share(/.*)?
155 /home/[^/]+/.local/share(/.*)?
156 device_t
158 /dev/.*
160 /lib/udev/devices(/.*)?
161 /usr/lib/udev/devices(/.*)?
162 /dev
163 /etc/udev/devices
164 /var/named/chroot/dev
165 /var/spool/postfix/dev
166 /var/named/chroot_sdb/dev
167 etc_aliases_t
169 /etc/mail/.*.db
171 /etc/mail/aliases.*
172 /etc/postfix/aliases.*
173 /etc/aliases
174 /etc/aliases.db
175 etc_runtime_t
177 /[^/]+
179 /etc/mtab.*
180 /etc/blkid(/.*)?
181 /etc/nologin.*
182 /etc/.fstab.hal..+
183 /halt
184 /fastboot
185 /poweroff
186 /.autofsck
187 /etc/cmtab
188 /forcefsck
189 /.suspended
190 /fsckoptions
191 /.autorelabel
192 /etc/.updated
193 /var/.updated
194 /etc/killpower
195 /etc/nohotplug
196 /etc/securetty
197 /etc/ioctl.save
198 /etc/fstab.REVOKE
199 /etc/network/ifstate
200 /etc/sysconfig/hwconf
201 /etc/ptal/ptal-printd-like
202 /etc/xorg.conf.d/00-system-setup-keyboard.conf
203 /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
204 faillog_t
206 /var/log/btmp.*
208 /var/log/faillog.*
209 /var/log/tallylog.*
210 /var/run/faillock(/.*)?
211 gnome_home_type
213 init_tmp_t
216 init_var_lib_t
219 /var/lib/systemd(/.*)?
221 /var/lib/private/systemd(/.*)?
222 init_var_run_t
224 /var/run/systemd(/.*)?
226 initrc_state_t
228 initrc_var_run_t
231 /var/run/utmp
233 /var/run/random-seed
234 /var/run/runlevel.dir
235 /var/run/setmixer_flag
236 ipsec_var_run_t
238 /var/racoon(/.*)?
240 /var/run/pluto(/.*)?
241 /var/run/charon.*
242 /var/run/racoon.pid
243 /var/run/charon.ctl
244 /var/run/charon.dck
245 /var/run/charon.vici
246 iscsi_lock_t
248 /var/lock/iscsi(/.*)?
250 krb5_host_rcache_t
252 /var/cache/krb5rcache(/.*)?
254 /var/tmp/nfs_0
255 /var/tmp/DNS_25
256 /var/tmp/host_0
257 /var/tmp/imap_0
258 /var/tmp/HTTP_23
259 /var/tmp/HTTP_48
260 /var/tmp/ldap_55
261 /var/tmp/ldap_487
262 /var/tmp/ldapmap1_0
263 krb5_keytab_t
265 /var/kerberos/krb5(/.*)?
267 /etc/krb5.keytab
268 /etc/krb5kdc/kadm5.keytab
269 /var/kerberos/krb5kdc/kadm5.keytab
270 lastlog_t
272 /var/log/lastlog.*
274 ld_so_cache_t
276 /etc/ld.so.cache
278 /etc/ld.so.cache~
279 /etc/ld.so.preload
280 /etc/ld.so.preload~
281 locale_t
283 /etc/locale.conf
285 /etc/vconsole.conf
286 /usr/lib/locale(/.*)?
287 /usr/share/locale(/.*)?
288 /usr/share/zoneinfo(/.*)?
289 /usr/share/X11/locale(/.*)?
290 /etc/timezone
291 /etc/localtime
292 /etc/sysconfig/clock
293 /etc/avahi/etc/localtime
294 /var/empty/sshd/etc/localtime
295 /var/named/chroot/etc/localtime
296 /var/spool/postfix/etc/localtime
297 lockfile
299 machineid_t
302 /etc/machine-id
304 /var/run/systemd/machine-id
305 mdadm_var_run_t
307 /dev/md/.*
309 /var/run/mdadm(/.*)?
310 /dev/.mdadm.map
311 mnt_t
313 /mnt(/[^/]*)?
315 /mnt(/[^/]*)?
316 /rhev(/[^/]*)?
317 /rhev/[^/]*/.*
318 /media(/[^/]*)?
319 /media(/[^/]*)?
320 /media/.hal-.*
321 /var/run/media(/[^/]*)?
322 /afs
323 /net
324 /misc
325 /rhev
326 mount_var_run_t
328 /run/mount(/.*)?
330 /dev/.mount(/.*)?
331 /var/run/mount(/.*)?
332 /var/run/davfs2(/.*)?
333 /var/cache/davfs2(/.*)?
334 named_conf_t
336 /etc/rndc.*
338 /etc/named(/.*)?
339 /etc/unbound(/.*)?
340 /var/named/chroot(/.*)?
341 /etc/named.rfc1912.zones
342 /var/named/chroot/etc/named.rfc1912.zones
343 /etc/named.conf
344 /var/named/named.ca
345 /etc/named.root.hints
346 /var/named/chroot/etc/named.conf
347 /etc/named.caching-nameserver.conf
348 /var/named/chroot/var/named/named.ca
349 /var/named/chroot/etc/named.root.hints
350 /var/named/chroot/etc/named.caching-nameserver.conf
351 passwd_file_t
353 /etc/group[-+]?
355 /etc/passwd[-+]?
356 /etc/passwd.adjunct.*
357 /etc/ptmptmp
358 /etc/.pwd.lock
359 /etc/group.lock
360 /etc/passwd.OLD
361 /etc/passwd.lock
362 print_spool_t
364 /var/spool/lpd(/.*)?
366 /var/spool/cups(/.*)?
367 /var/spool/cups-pdf(/.*)?
368 random_seed_t
370 /var/lib/random-seed
372 /usr/var/lib/random-seed
373 security_t
375 /selinux
377 svirt_file_type
379 sysctl_type
382 sysfs_t
385 /sys(/.*)?
387 systemd_home_t
389 /root/.local/share/systemd(/.*)?
391 /home/[^/]+/.local/share/systemd(/.*)?
392 systemd_logind_var_run_t
394 /var/run/.*nologin.*
396 /var/run/systemd/seats(/.*)?
397 /var/run/systemd/users(/.*)?
398 /var/run/systemd/shutdown(/.*)?
399 systemd_passwd_var_run_t
401 /var/run/systemd/ask-password(/.*)?
403 /var/run/systemd/ask-password-block(/.*)?
404 systemd_unit_file_type
406 tmpfs_t
409 /dev/shm
411 /var/run/shm
412 /usr/lib/udev/devices/shm
413 udev_rules_t
415 /etc/udev/rules.d(/.*)?
417 var_lib_nfs_t
419 /var/lib/nfs(/.*)?
421 var_lib_t
423 /opt/(.*/)?var/lib(/.*)?
425 /var/lib(/.*)?
426 var_log_t
428 /var/log/.*
430 /nsr/logs(/.*)?
431 /var/webmin(/.*)?
432 /var/log/secure[^/]*
433 /opt/zimbra/log(/.*)?
434 /var/log/maillog[^/]*
435 /var/log/spooler[^/]*
436 /var/log/messages[^/]*
437 /usr/centreon/log(/.*)?
438 /var/spool/rsyslog(/.*)?
439 /var/axfrdns/log/main(/.*)?
440 /var/spool/bacula/log(/.*)?
441 /var/tinydns/log/main(/.*)?
442 /var/dnscache/log/main(/.*)?
443 /var/stockmaniac/templates_cache(/.*)?
444 /opt/Symantec/scspagent/IDS/system(/.*)?
445 /var/log
446 /var/log/dmesg
447 /var/log/syslog
448 /var/named/chroot/var/log
449 var_run_t
451 /run/.*
453 /var/run/.*
454 /run
455 /var/run
456 /var/run
457 /var/spool/postfix/pid
458 wtmp_t
460 /var/log/wtmp.*
462
465 SELinux requires files to have an extended attribute to define the file
466 type.
467 You can see the context of a file using the -Z option to ls
469 Policy governs the access confined processes have to these files.
471 SELinux init policy is very flexible allowing users to setup their init
472 processes in as secure a method as possible.
473 EQUIVALENCE DIRECTORIES
475 init policy stores data with multiple different file context types
478 under the /var/run/systemd directory. If you would like to store the
479 data in a different directory you can use the semanage command to cre‐
480 ate an equivalence mapping. If you wanted to store this data under the
481 /srv dirctory you would execute the following command:
482 semanage fcontext -a -e /var/run/systemd /srv/systemd
484 restorecon -R -v /srv/systemd
485 STANDARD FILE CONTEXT
487 SELinux defines the file context types for the init, if you wanted to
489 store files with these types in a diffent paths, you need to execute
490 the semanage command to sepecify alternate labeling and then use
491 restorecon to put the labels on disk.
492 semanage fcontext -a -t initrc_var_run_t '/srv/myinit_content(/.*)?'
494 restorecon -R -v /srv/myinit_content
495 Note: SELinux often uses regular expressions to specify labels that
497 match multiple files.
498 The following file types are defined for init:
500 init_exec_t
504 - Set files with the init_exec_t type, if you want to transition an
506 executable to the init_t domain.
507 Paths:
510 /sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*,
511 /usr/lib/systemd/system-generators/[^/]*, /bin/systemd,
512 /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart
513 init_tmp_t
516 - Set files with the init_tmp_t type, if you want to store init tempo‐
518 rary files in the /tmp directories.
519 init_var_lib_t
523 - Set files with the init_var_lib_t type, if you want to store the init
525 files under the /var/lib directory.
526 Paths:
529 /var/lib/systemd(/.*)?, /var/lib/private/systemd(/.*)?
530 init_var_run_t
533 - Set files with the init_var_run_t type, if you want to store the init
535 files under the /run or /var/run directory.
536 initctl_t
540 - Set files with the initctl_t type, if you want to treat the files as
542 initctl data.
543 Paths:
546 /dev/initctl, /var/run/initctl, /var/run/systemd/initctl/fifo
547 initrc_devpts_t
550 - Set files with the initrc_devpts_t type, if you want to treat the
552 files as initrc devpts data.
553 initrc_exec_t
557 - Set files with the initrc_exec_t type, if you want to transition an
559 executable to the initrc_t domain.
560 Paths:
563 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
564 /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*,
565 /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*,
566 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
567 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-dirsrv,
568 /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
569 fig/network-scripts/ifup-ipsec, /usr/share/system-config-ser‐
570 vices/system-config-services-mechanism.py
571 initrc_state_t
574 - Set files with the initrc_state_t type, if you want to treat the
576 files as initrc state data.
577 initrc_tmp_t
581 - Set files with the initrc_tmp_t type, if you want to store initrc
583 temporary files in the /tmp directories.
584 initrc_var_log_t
588 - Set files with the initrc_var_log_t type, if you want to treat the
590 data as initrc var log data, usually stored under the /var/log direc‐
591 tory.
592 initrc_var_run_t
596 - Set files with the initrc_var_run_t type, if you want to store the
598 initrc files under the /run or /var/run directory.
599 Paths:
602 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
603 /var/run/setmixer_flag
604 Note: File context can be temporarily modified with the chcon command.
607 If you want to permanently change the file context you need to use the
608 semanage fcontext command. This will modify the SELinux labeling data‐
609 base. You will need to use restorecon to apply the labels.
610
613 semanage fcontext can also be used to manipulate default file context
614 mappings.
615 semanage permissive can also be used to manipulate whether or not a
617 process type is permissive.
618 semanage module can also be used to enable/disable/install/remove pol‐
620 icy modules.
621 semanage boolean can also be used to manipulate the booleans
623 system-config-selinux is a GUI tool available to customize SELinux pol‐
626 icy settings.
627
630 This manual page was auto-generated using sepolicy manpage .
631
634 selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
635 setsebool(8)
636init 19-12-02 init_selinux(8)