1initrc_selinux(8)            SELinux Policy initrc           initrc_selinux(8)
2
3
4

NAME

6       initrc_selinux  -  Security  Enhanced  Linux Policy for the initrc pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  initrc  processes  via  flexible
11       mandatory access control.
12
13       The  initrc  processes  execute with the initrc_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep initrc_t
20
21
22

ENTRYPOINTS

24       The  initrc_t  SELinux  type can be entered via the amtu_initrc_exec_t,
25       nscd_initrc_exec_t,    avahi_initrc_exec_t,     minidlna_initrc_exec_t,
26       nslcd_initrc_exec_t,       munin_initrc_exec_t,      mpd_initrc_exec_t,
27       rpcbind_initrc_exec_t,   naemon_initrc_exec_t,   roundup_initrc_exec_t,
28       pcscd_initrc_exec_t,   tuned_initrc_exec_t,   afs_initrc_exec_t,  ipta‐
29       bles_initrc_exec_t,   shorewall_initrc_exec_t,   radiusd_initrc_exec_t,
30       gpsd_initrc_exec_t,   cluster_initrc_exec_t,   ccs_initrc_exec_t,  sys‐
31       logd_initrc_exec_t,  slapd_initrc_exec_t,  lircd_initrc_exec_t,  fsdae‐
32       mon_initrc_exec_t,      foghorn_initrc_exec_t,     dspam_initrc_exec_t,
33       samba_initrc_exec_t,   glance_registry_initrc_exec_t,   certmonger_ini‐
34       trc_exec_t, radvd_initrc_exec_t, asterisk_initrc_exec_t, saslauthd_ini‐
35       trc_exec_t, pki_tps_script_exec_t, innd_initrc_exec_t,  varnishlog_ini‐
36       trc_exec_t,   zabbix_initrc_exec_t,   spamd_initrc_exec_t,   rtkit_dae‐
37       mon_initrc_exec_t,  nfsd_initrc_exec_t,  kerberos_initrc_exec_t,   con‐
38       ntrackd_initrc_exec_t,   initrc_exec_t,  neutron_initrc_exec_t,  bin_t,
39       shell_exec_t,     cgconfig_initrc_exec_t,      firewalld_initrc_exec_t,
40       setrans_initrc_exec_t,  slpd_initrc_exec_t,  kdump_initrc_exec_t,  con‐
41       dor_initrc_exec_t,      vnstatd_initrc_exec_t,      osad_initrc_exec_t,
42       kismet_initrc_exec_t,    ajaxterm_initrc_exec_t,    ftpd_initrc_exec_t,
43       hddtemp_initrc_exec_t,  fail2ban_initrc_exec_t,  sysstat_initrc_exec_t,
44       drbd_initrc_exec_t, aiccu_initrc_exec_t, smokeping_initrc_exec_t, cmir‐
45       rord_initrc_exec_t,  dhcpc_helper_exec_t,  piranha_pulse_initrc_exec_t,
46       minissdpd_initrc_exec_t,    usr_t,    ciped_initrc_exec_t,   boinc_ini‐
47       trc_exec_t,     irqbalance_initrc_exec_t,     glance_api_initrc_exec_t,
48       tgtd_initrc_exec_t,     hypervkvp_initrc_exec_t,    ntop_initrc_exec_t,
49       cgred_initrc_exec_t,    named_initrc_exec_t,     postfix_initrc_exec_t,
50       portmap_initrc_exec_t, ddclient_initrc_exec_t, mon_statd_initrc_exec_t,
51       NetworkManager_initrc_exec_t,  ipa_custodia_dmldap_exec_t,   uuidd_ini‐
52       trc_exec_t, pki_ra_script_exec_t, entropyd_initrc_exec_t, likewise_ini‐
53       trc_exec_t,   dhcpd_initrc_exec_t,   squid_initrc_exec_t,   openct_ini‐
54       trc_exec_t,      certmaster_initrc_exec_t,     automount_initrc_exec_t,
55       pcp_pmcd_initrc_exec_t,   memcached_initrc_exec_t,   nis_initrc_exec_t,
56       zoneminder_initrc_exec_t,  bacula_initrc_exec_t, privoxy_initrc_exec_t,
57       cpuplug_initrc_exec_t, ypbind_initrc_exec_t,  rwho_initrc_exec_t,  ice‐
58       cast_initrc_exec_t,     ctdbd_initrc_exec_t,     couchdb_initrc_exec_t,
59       apcupsd_initrc_exec_t,   watchdog_initrc_exec_t,   ulogd_initrc_exec_t,
60       apmd_initrc_exec_t,      abrt_initrc_exec_t,      mysqld_initrc_exec_t,
61       canna_initrc_exec_t,       puppetagent_initrc_exec_t,        ipa_custo‐
62       dia_ra_agent_exec_t,    pcp_pmlogger_initrc_exec_t,   zabbix_agent_ini‐
63       trc_exec_t,   ricci_initrc_exec_t,   gpm_initrc_exec_t,   ksmtuned_ini‐
64       trc_exec_t,   smsd_initrc_exec_t,   ntpd_initrc_exec_t,   glusterd_ini‐
65       trc_exec_t,  bluetooth_initrc_exec_t,  tcsd_initrc_exec_t,   snmpd_ini‐
66       trc_exec_t,   antivirus_initrc_exec_t,   rngd_initrc_exec_t,  mysqlman‐
67       agerd_initrc_exec_t,    cobblerd_initrc_exec_t,    pingd_initrc_exec_t,
68       httpd_initrc_exec_t,   virtd_initrc_exec_t,   pcp_plugin_initrc_exec_t,
69       vdagentd_initrc_exec_t,  denyhosts_initrc_exec_t,  crond_initrc_exec_t,
70       sssd_initrc_exec_t,  callweaver_initrc_exec_t, acct_initrc_exec_t, san‐
71       lock_initrc_exec_t, tor_initrc_exec_t, mcelog_initrc_exec_t, mdadm_ini‐
72       trc_exec_t,   sblim_initrc_exec_t,  qpidd_initrc_exec_t,  cyphesis_ini‐
73       trc_exec_t,  dictd_initrc_exec_t,  rhsmcertd_initrc_exec_t,   pads_ini‐
74       trc_exec_t,   openvpn_initrc_exec_t,  auditd_initrc_exec_t,  cupsd_ini‐
75       trc_exec_t,  iodined_initrc_exec_t,  lldpad_initrc_exec_t,   cyrus_ini‐
76       trc_exec_t,   pcp_pmproxy_initrc_exec_t,  svnserve_initrc_exec_t,  col‐
77       lectd_initrc_exec_t,     puppetmaster_initrc_exec_t,      varnishd_ini‐
78       trc_exec_t,   prelude_initrc_exec_t,  zebra_initrc_exec_t,  gdomap_ini‐
79       trc_exec_t, postgresql_initrc_exec_t,  cvs_initrc_exec_t,  sensord_ini‐
80       trc_exec_t,  oracleasm_initrc_exec_t, mrtg_initrc_exec_t, cfengine_ini‐
81       trc_exec_t,    iwhd_initrc_exec_t,    pppd_initrc_exec_t,    mscan_ini‐
82       trc_exec_t,  sendmail_initrc_exec_t, openhpid_initrc_exec_t, redis_ini‐
83       trc_exec_t, wdmd_initrc_exec_t,  pcp_pmie_initrc_exec_t,  arpwatch_ini‐
84       trc_exec_t,      bitlbee_initrc_exec_t,     dlm_controld_initrc_exec_t,
85       pkcs_slotd_initrc_exec_t,  soundd_initrc_exec_t,   uucpd_initrc_exec_t,
86       rpcd_initrc_exec_t,  keystone_initrc_exec_t, isnsd_initrc_exec_t, virt‐
87       logd_initrc_exec_t,     bcfg2_initrc_exec_t,     dovecot_initrc_exec_t,
88       ipsec_initrc_exec_t, clvmd_initrc_exec_t, exim_initrc_exec_t, sshd_ini‐
89       trc_exec_t,   jabberd_initrc_exec_t,    postgrey_initrc_exec_t,    rab‐
90       bitmq_initrc_exec_t,     polipo_initrc_exec_t,     snort_initrc_exec_t,
91       fcoemon_initrc_exec_t, dnsmasq_initrc_exec_t,  fetchmail_initrc_exec_t,
92       ipa_custodia_pki_tomcat_exec_t,          glance_scrubber_initrc_exec_t,
93       nagios_initrc_exec_t, psad_initrc_exec_t, mongod_initrc_exec_t, portre‐
94       serve_initrc_exec_t,    vhostmd_initrc_exec_t,   chronyd_initrc_exec_t,
95       l2tpd_initrc_exec_t,      sslh_initrc_exec_t,      rhnsd_initrc_exec_t,
96       blkmapd_initrc_exec_t file types.
97
98       The default entrypoint paths for the initrc_t domain are the following:
99
100       All  executables  with  the default executable label, usually stored in
101       /usr/bin and /usr/sbin.  /etc/rc.d/init.d/amtu,  /etc/rc.d/init.d/nscd,
102       /etc/rc.d/init.d/avahi.*,                    /etc/rc.d/init.d/minidlna,
103       /etc/rc.d/init.d/nslcd,                    /etc/rc.d/init.d/munin-node,
104       /etc/rc.d/init.d/mpd,  /etc/rc.d/init.d/rpcbind,  /etc/rc.d/init.d/nae‐
105       mon,         /etc/rc.d/init.d/roundup,          /etc/rc.d/init.d/pcscd,
106       /etc/rc.d/init.d/tuned,                    /etc/rc.d/init.d/(open)?afs,
107       /etc/rc.d/init.d/openafs-client,           /etc/rc.d/init.d/ip6?tables,
108       /etc/rc.d/init.d/ebtables,                   /etc/rc.d/init.d/nftables,
109       /etc/rc.d/init.d/shorewall.*,                 /etc/rc.d/init.d/radiusd,
110       /etc/rc.d/init.d/gpsd,                        /etc/rc.d/init.d/openais,
111       /etc/rc.d/init.d/corosync,                   /etc/rc.d/init.d/cpglockd,
112       /etc/rc.d/init.d/heartbeat,                 /etc/rc.d/init.d/pacemaker,
113       /etc/rc.d/init.d/rgmanager,            /etc/rc.d/init.d/((ccs)|(ccsd)),
114       /etc/rc.d/init.d/rsyslog,                       /etc/rc.d/init.d/slapd,
115       /etc/rc.d/init.d/lirc,         /etc/rc.d/init.d/(smartd|smartmontools),
116       /etc/rc.d/init.d/dspam,   /etc/rc.d/init.d/nmb,   /etc/rc.d/init.d/smb,
117       /etc/rc.d/init.d/winbind,   /etc/rc.d/init.d/openstack-glance-registry,
118       /etc/rc.d/init.d/certmonger,                    /etc/rc.d/init.d/radvd,
119       /etc/rc.d/init.d/asterisk,                       /etc/rc.d/init.d/sasl,
120       /etc/rc.d/init.d/innd,                     /etc/rc.d/init.d/varnishlog,
121       /etc/rc.d/init.d/varnishncsa,  /etc/rc.d/init.d/(zabbix|zabbix-server),
122       /etc/rc.d/init.d/mimedefang.*,                  /etc/rc.d/init.d/spamd,
123       /etc/rc.d/init.d/pyzord,                       /etc/rc.d/init.d/spampd,
124       /etc/rc.d/init.d/rtkit-daemon,                    /etc/rc.d/init.d/nfs,
125       /etc/rc.d/init.d/kprop,                       /etc/rc.d/init.d/kadmind,
126       /etc/rc.d/init.d/krb524d,   /etc/rc.d/init.d/krb5kdc,   /etc/init.d/.*,
127       /etc/rc.d/rc.[^/]+,  /etc/rc.d/init.d/.*,   /opt/nfast/sbin/init.d-nci‐
128       pher,        /usr/libexec/dcc/stop-.*,       /usr/libexec/dcc/start-.*,
129       /usr/lib/systemd/fedora[^/]*,           /opt/nfast/scripts/init.d/(.*),
130       /etc/rc.d/rc,   /etc/X11/prefdm,  /usr/sbin/startx,  /usr/bin/sepg_ctl,
131       /usr/sbin/start-dirsrv,   /usr/sbin/open_init_pty,   /usr/sbin/restart-
132       dirsrv,  /etc/sysconfig/network-scripts/ifup-ipsec,  /usr/share/system-
133       config-services/system-config-services-mechanism.py,
134       /etc/rc.d/init.d/neutron.*,   /etc/rc.d/init.d/quantum.*,   /bin/d?ash,
135       /bin/ksh.*, /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*,
136       /bin/esh,   /bin/bash,   /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,
137       /bin/yash,  /bin/bash2,  /usr/bin/esh,  /sbin/nologin,   /usr/bin/bash,
138       /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,
139       /usr/bin/yash,   /usr/bin/bash2,    /usr/sbin/sesh,    /usr/sbin/smrsh,
140       /usr/bin/scponly,  /usr/libexec/sesh,  /usr/sbin/nologin, /usr/bin/git-
141       shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,  /usr/bin/cockpit-
142       bridge,   /usr/libexec/cockpit-agent,  /usr/libexec/git-core/git-shell,
143       /etc/rc.d/init.d/cgconfig,                  /etc/rc.d/init.d/firewalld,
144       /etc/rc.d/init.d/mcstrans,                       /etc/rc.d/init.d/slpd,
145       /etc/rc.d/init.d/kdump,                        /etc/rc.d/init.d/condor,
146       /etc/rc.d/init.d/vnstat,                         /etc/rc.d/init.d/osad,
147       /etc/rc.d/init.d/kismet.*,                   /etc/rc.d/init.d/ajaxterm,
148       /etc/rc.d/init.d/vsftpd,                      /etc/rc.d/init.d/proftpd,
149       /etc/rc.d/init.d/hddtemp,                    /etc/rc.d/init.d/fail2ban,
150       /etc/rc.d/init.d/sysstat,                        /etc/rc.d/init.d/drbd,
151       /etc/rc.d/init.d/aiccu,                     /etc/rc.d/init.d/smokeping,
152       /etc/rc.d/init.d/cmirrord,             /etc/firestarter/firestarter.sh,
153       /etc/rc.d/init.d/pulse, /etc/rc.d/init.d/minissdpd,  /opt/.*,  /usr/.*,
154       /emul/.*,   /export(/.*)?,   /ostree(/.*)?,   /usr/doc(/.*)?/lib(/.*)?,
155       /usr/inclu.e(/.*)?,                               /usr/share/rpm(/.*)?,
156       /usr/share/doc(/.*)?/README.*,           /usr/lib/modules(/.*)/vmlinuz,
157       /usr/lib/modules(/.*)/initramfs.img,           /usr/lib/sysimage(/.*)?,
158       /usr/lib/ostree-boot(/.*)?,          /opt,         /usr,         /emul,
159       /etc/rc.d/init.d/ciped.*,                /etc/rc.d/init.d/boinc-client,
160       /etc/rc.d/init.d/irqbalance,     /etc/rc.d/init.d/openstack-glance-api,
161       /etc/rc.d/init.d/tgtd,                     /etc/rc.d/init.d/hypervkvpd,
162       /etc/rc.d/init.d/ntop,  /etc/rc.d/init.d/cgred, /etc/rc.d/init.d/named,
163       /etc/rc.d/init.d/unbound,                   /etc/rc.d/init.d/named-sdb,
164       /etc/rc.d/init.d/postfix,                     /etc/rc.d/init.d/portmap,
165       /etc/rc.d/init.d/ddclient, /etc/rc.d/init.d/mon_statd, /etc/NetworkMan‐
166       ager/dispatcher.d(/.*)?,    /usr/lib/NetworkManager/dispatcher.d(/.*)?,
167       /etc/rc.d/init.d/wicd,   /usr/libexec/ipa/custodia/ipa-custodia-dmldap,
168       /etc/rc.d/init.d/uuidd,  /etc/rc.d/init.d/((audio-entropyd)|(haveged)),
169       /etc/rc.d/init.d/lwiod,                         /etc/rc.d/init.d/lwsmd,
170       /etc/rc.d/init.d/lsassd,                       /etc/rc.d/init.d/lwregd,
171       /etc/rc.d/init.d/dcerpcd,                     /etc/rc.d/init.d/srvsvcd,
172       /etc/rc.d/init.d/likewise,                  /etc/rc.d/init.d/eventlogd,
173       /etc/rc.d/init.d/netlogond,                 /etc/rc.d/init.d/dhcpd(6)?,
174       /etc/rc.d/init.d/dhcrelay(6)?,                  /etc/rc.d/init.d/squid,
175       /etc/rc.d/init.d/openct,                   /etc/rc.d/init.d/certmaster,
176       /etc/rc.d/init.d/autofs,                         /etc/rc.d/init.d/pmcd,
177       /usr/libexec/pcp/lib/pmcd,                  /etc/rc.d/init.d/memcached,
178       /etc/rc.d/init.d/ypserv,                       /etc/rc.d/init.d/ypxfrd,
179       /etc/rc.d/init.d/yppasswd,                 /etc/rc.d/init.d/zoneminder,
180       /etc/rc.d/init.d/bacula.*,                    /etc/rc.d/init.d/privoxy,
181       /etc/rc.d/init.d/cpuplugd,                     /etc/rc.d/init.d/ypbind,
182       /etc/rc.d/init.d/rwhod,                       /etc/rc.d/init.d/icecast,
183       /etc/rc.d/init.d/ctdb,                        /etc/rc.d/init.d/couchdb,
184       /etc/rc.d/init.d/apcupsd,                    /etc/rc.d/init.d/watchdog,
185       /etc/rc.d/init.d/ulogd, /etc/rc.d/init.d/acpid,  /etc/rc.d/init.d/abrt,
186       /etc/rc.d/init.d/mysqld,  /etc/rc.d/init.d/canna, /etc/rc.d/init.d/pup‐
187       pet,                   /usr/libexec/ipa/custodia/ipa-custodia-ra-agent,
188       /etc/rc.d/init.d/pmlogger,               /usr/libexec/pcp/lib/pmlogger,
189       /etc/rc.d/init.d/zabbix-agentd,                 /etc/rc.d/init.d/ricci,
190       /etc/rc.d/init.d/gpm, /etc/rc.d/init.d/ksmtuned, /etc/rc.d/init.d/smsd,
191       /etc/rc.d/init.d/ntpd, /etc/rc.d/init.d/gluster.*,  /usr/sbin/glusterd,
192       /etc/rc.d/init.d/dund,   /etc/rc.d/init.d/pand,  /etc/rc.d/init.d/blue‐
193       tooth,                                /etc/rc.d/init.d/(tcsd|trousers),
194       /etc/rc.d/init.d/(snmpd|snmptrapd),           /etc/rc.d/init.d/clamd.*,
195       /etc/rc.d/init.d/amavis,                 /etc/rc.d/init.d/amavisd-snmp,
196       /etc/rc.d/init.d/rngd,                   /etc/rc.d/init.d/mysqlmanager,
197       /etc/rc.d/init.d/cobblerd,              /etc/rc.d/init.d/whatsup-pingd,
198       /etc/init.d/cherokee,                           /etc/rc.d/init.d/httpd,
199       /etc/rc.d/init.d/lighttpd,                   /etc/rc.d/init.d/libvirtd,
200       /etc/rc.d/init.d/spice-vdagentd,            /etc/rc.d/init.d/denyhosts,
201       /etc/rc.d/init.d/atd,   /etc/rc.d/init.d/sssd,   /etc/rc.d/init.d/call‐
202       weaver,        /etc/rc.d/init.d/psacct,       /etc/rc.d/init.d/sanlock,
203       /etc/rc.d/init.d/tor, /etc/rc.d/init.d/mcelog, /etc/rc.d/init.d/mdmoni‐
204       tor,      /etc/rc.d/init.d/gatherer,      /etc/rc.d/init.d/sblim-sfcbd,
205       /etc/rc.d/init.d/qpidd,                      /etc/rc.d/init.d/cyphesis,
206       /etc/rc.d/init.d/dictd,                     /etc/rc.d/init.d/rhsmcertd,
207       /etc/rc.d/init.d/pads,                        /etc/rc.d/init.d/openvpn,
208       /etc/rc.d/init.d/auditd,                         /etc/rc.d/init.d/cups,
209       /etc/rc.d/init.d/((iodined)|(iodine-server)),  /etc/rc.d/init.d/lldpad,
210       /etc/rc.d/init.d/cyrus.*,                     /etc/rc.d/init.d/pmproxy,
211       /usr/libexec/pcp/lib/pmproxy,                /etc/rc.d/init.d/svnserve,
212       /etc/rc.d/init.d/collectd,               /etc/rc.d/init.d/puppetmaster,
213       /etc/rc.d/init.d/varnish,                 /etc/rc.d/init.d/prelude-lml,
214       /etc/rc.d/init.d/prelude-manager,  /etc/rc.d/init.d/prelude-correlator,
215       /etc/rc.d/init.d/bgpd,  /etc/rc.d/init.d/ripd,  /etc/rc.d/init.d/isisd,
216       /etc/rc.d/init.d/ospfd,                         /etc/rc.d/init.d/zebra,
217       /etc/rc.d/init.d/babeld, /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/rip‐
218       ngd,     /etc/rc.d/init.d/gdomap,     /etc/rc.d/init.d/(se)?postgresql,
219       /etc/rc.d/init.d/cvs,  /etc/rc.d/init.d/sensord,  /etc/rc.d/init.d/ora‐
220       cleasm, /etc/rc.d/init.d/mrtg, /etc/rc.d/init.d/((cf-serverd)|(cf-moni‐
221       tord)|(cf-execd)),                               /etc/rc.d/init.d/iwhd,
222       /etc/ppp/(auth|ip(v6|x)?)-(up|down),              /etc/rc.d/init.d/ppp,
223       /etc/rc.d/init.d/MailScanner,                /etc/rc.d/init.d/sendmail,
224       /etc/rc.d/init.d/openhpid,                      /etc/rc.d/init.d/redis,
225       /etc/rc.d/init.d/wdmd,                           /etc/rc.d/init.d/pmie,
226       /usr/libexec/pcp/lib/pmie,                   /etc/rc.d/init.d/arpwatch,
227       /etc/rc.d/init.d/bitlbee,                   /etc/rc.d/init.d/pkcsslotd,
228       /etc/rc.d/init.d/nasd, /etc/rc.d/init.d/uucp, /etc/rc.d/init.d/nfslock,
229       /etc/rc.d/init.d/rpcidmapd,        /etc/rc.d/init.d/openstack-keystone,
230       /etc/rc.d/init.d/isnsd,                      /etc/rc.d/init.d/virtlogd,
231       /etc/rc.d/init.d/bcfg2-server,                /etc/rc.d/init.d/dovecot,
232       /etc/rc.d/init.d/ipsec,                        /etc/rc.d/init.d/racoon,
233       /etc/rc.d/init.d/strongswan,                     /etc/rc.d/init.d/exim,
234       /etc/rc.d/init.d/sshd, /etc/rc.d/init.d/jabberd, /etc/rc.d/init.d/post‐
235       grey,    /etc/rc.d/init.d/rabbitmq-server,     /etc/rc.d/init.d/polipo,
236       /etc/rc.d/init.d/snortd,  /etc/rc.d/init.d/fcoe,  /etc/rc.d/init.d/dns‐
237       masq, /etc/rc.d/init.d/fetchmail,  /usr/libexec/ipa/custodia/ipa-custo‐
238       dia-pki-tomcat,      /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-
239       wrapped,                    /etc/rc.d/init.d/openstack-glance-scrubber,
240       /etc/rc.d/init.d/nrpe,  /etc/rc.d/init.d/nagios, /etc/rc.d/init.d/psad,
241       /etc/rc.d/init.d/mongod,                       /etc/rc.d/init.d/mongos,
242       /etc/rc.d/init.d/portreserve,                 /etc/rc.d/init.d/vhostmd,
243       /etc/rc.d/init.d/chronyd,                     /etc/rc.d/init.d/.*l2tpd,
244       /etc/rc.d/init.d/sslh, /etc/rc.d/init.d/rhnsd, /etc/rc.d/init.d/blkmapd
245

PROCESS TYPES

247       SELinux defines process types (domains) for each process running on the
248       system
249
250       You can see the context of a process using the -Z option to ps
251
252       Policy governs the access confined processes have  to  files.   SELinux
253       initrc  policy  is  very  flexible allowing users to setup their initrc
254       processes in as secure a method as possible.
255
256       The following process types are defined for initrc:
257
258       initrc_t
259
260       Note: semanage permissive -a initrc_t can be used to make  the  process
261       type  initrc_t  permissive.  SELinux does not deny access to permissive
262       process types, but the AVC (SELinux denials) messages are still  gener‐
263       ated.
264
265

BOOLEANS

267       SELinux  policy is customizable based on least access required.  initrc
268       policy is extremely flexible and has several booleans that allow you to
269       manipulate the policy and run initrc with the tightest access possible.
270
271
272
273       If you want to deny user domains applications to map a memory region as
274       both executable and writable, this  is  dangerous  and  the  executable
275       should be reported in bugzilla, you must turn on the deny_execmem bool‐
276       ean. Enabled by default.
277
278       setsebool -P deny_execmem 1
279
280
281
282       If you want to control the ability to mmap a low area  of  the  address
283       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
284       the mmap_low_allowed boolean. Disabled by default.
285
286       setsebool -P mmap_low_allowed 1
287
288
289
290       If you want to disable kernel module loading,  you  must  turn  on  the
291       secure_mode_insmod boolean. Enabled by default.
292
293       setsebool -P secure_mode_insmod 1
294
295
296
297       If  you  want to allow unconfined executables to make their heap memory
298       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
299       badly  coded  executable, but could indicate an attack. This executable
300       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
301       uxuser_execheap boolean. Disabled by default.
302
303       setsebool -P selinuxuser_execheap 1
304
305
306
307       If  you  want  to allow unconfined executables to make their stack exe‐
308       cutable.  This should never, ever be necessary.  Probably  indicates  a
309       badly  coded  executable, but could indicate an attack. This executable
310       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
311       stack boolean. Disabled by default.
312
313       setsebool -P selinuxuser_execstack 1
314
315
316

MANAGED FILES

318       The  SELinux  process  type  initrc_t can manage files labeled with the
319       following file types.  The paths listed are the default paths for these
320       file types.  Note the processes UID still need to have DAC permissions.
321
322       file_type
323
324            all files on the system
325
326

FILE CONTEXTS

328       SELinux requires files to have an extended attribute to define the file
329       type.
330
331       You can see the context of a file using the -Z option to ls
332
333       Policy governs the access  confined  processes  have  to  these  files.
334       SELinux  initrc  policy  is very flexible allowing users to setup their
335       initrc processes in as secure a method as possible.
336
337       STANDARD FILE CONTEXT
338
339       SELinux defines the file context types for the initrc, if you wanted to
340       store  files  with  these types in a diffent paths, you need to execute
341       the semanage command  to  sepecify  alternate  labeling  and  then  use
342       restorecon to put the labels on disk.
343
344       semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
345       restorecon -R -v /srv/myinitrc_content
346
347       Note:  SELinux  often  uses  regular expressions to specify labels that
348       match multiple files.
349
350       The following file types are defined for initrc:
351
352
353
354       initrc_devpts_t
355
356       - Set files with the initrc_devpts_t type, if you  want  to  treat  the
357       files as initrc devpts data.
358
359
360
361       initrc_exec_t
362
363       -  Set  files with the initrc_exec_t type, if you want to transition an
364       executable to the initrc_t domain.
365
366
367       Paths:
368            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
369            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
370            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
371            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
372            /usr/sbin/startx,    /usr/bin/sepg_ctl,    /usr/sbin/start-dirsrv,
373            /usr/sbin/open_init_pty,   /usr/sbin/restart-dirsrv,  /etc/syscon‐
374            fig/network-scripts/ifup-ipsec,      /usr/share/system-config-ser‐
375            vices/system-config-services-mechanism.py
376
377
378       initrc_state_t
379
380       -  Set  files  with  the  initrc_state_t type, if you want to treat the
381       files as initrc state data.
382
383
384
385       initrc_tmp_t
386
387       - Set files with the initrc_tmp_t type, if you  want  to  store  initrc
388       temporary files in the /tmp directories.
389
390
391
392       initrc_var_log_t
393
394       -  Set  files  with the initrc_var_log_t type, if you want to treat the
395       data as initrc var log data, usually stored under the  /var/log  direc‐
396       tory.
397
398
399
400       initrc_var_run_t
401
402       -  Set  files  with the initrc_var_run_t type, if you want to store the
403       initrc files under the /run or /var/run directory.
404
405
406       Paths:
407            /var/run/utmp,    /var/run/random-seed,     /var/run/runlevel.dir,
408            /var/run/setmixer_flag
409
410
411       Note:  File context can be temporarily modified with the chcon command.
412       If you want to permanently change the file context you need to use  the
413       semanage fcontext command.  This will modify the SELinux labeling data‐
414       base.  You will need to use restorecon to apply the labels.
415
416

COMMANDS

418       semanage fcontext can also be used to manipulate default  file  context
419       mappings.
420
421       semanage  permissive  can  also  be used to manipulate whether or not a
422       process type is permissive.
423
424       semanage module can also be used to enable/disable/install/remove  pol‐
425       icy modules.
426
427       semanage boolean can also be used to manipulate the booleans
428
429
430       system-config-selinux is a GUI tool available to customize SELinux pol‐
431       icy settings.
432
433

AUTHOR

435       This manual page was auto-generated using sepolicy manpage .
436
437

SEE ALSO

439       selinux(8), initrc(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
440       icy(8), setsebool(8)
441
442
443
444initrc                             21-03-26                  initrc_selinux(8)
Impressum