1initrc_selinux(8) SELinux Policy initrc initrc_selinux(8)
2
6 initrc_selinux - Security Enhanced Linux Policy for the initrc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the initrc processes via flexible
11 mandatory access control.
12 The initrc processes execute with the initrc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep initrc_t
20
24 The initrc_t SELinux type can be entered via the prelude_initrc_exec_t,
25 lsmd_initrc_exec_t, sendmail_initrc_exec_t, pcp_pmmgr_initrc_exec_t,
26 dnsmasq_initrc_exec_t, freeipmi_ipmidetectd_initrc_exec_t, cob‐
27 blerd_initrc_exec_t, bitlbee_initrc_exec_t, cinder_backup_ini‐
28 trc_exec_t, file_type, sanlock_initrc_exec_t, slapd_initrc_exec_t, sys‐
29 logd_initrc_exec_t, ulogd_initrc_exec_t, glance_api_initrc_exec_t,
30 ntop_initrc_exec_t, ntpd_initrc_exec_t, cinder_api_initrc_exec_t,
31 nova_network_initrc_exec_t, openvpn_initrc_exec_t, nscd_initrc_exec_t,
32 nova_api_initrc_exec_t, bluetooth_initrc_exec_t, chronyd_initrc_exec_t,
33 kerneloops_initrc_exec_t, boinc_initrc_exec_t, nfsd_initrc_exec_t,
34 cgconfig_initrc_exec_t, denyhosts_initrc_exec_t, mongod_initrc_exec_t,
35 osad_initrc_exec_t, automount_initrc_exec_t, entropyd_initrc_exec_t,
36 roundup_initrc_exec_t, certmonger_initrc_exec_t, snort_initrc_exec_t,
37 snmpd_initrc_exec_t, conman_initrc_exec_t, ddclient_initrc_exec_t,
38 dictd_initrc_exec_t, ricci_initrc_exec_t, openhpid_initrc_exec_t,
39 piranha_web_initrc_exec_t, aiccu_initrc_exec_t, innd_initrc_exec_t,
40 pingd_initrc_exec_t, mysqlmanagerd_initrc_exec_t, nova_compute_ini‐
41 trc_exec_t, iwhd_initrc_exec_t, radiusd_initrc_exec_t, dhcpd_ini‐
42 trc_exec_t, lircd_initrc_exec_t, antivirus_initrc_exec_t, cyrus_ini‐
43 trc_exec_t, varnishd_initrc_exec_t, virtd_initrc_exec_t, mip6d_ini‐
44 trc_exec_t, keepalived_initrc_exec_t, piranha_fos_initrc_exec_t, mata‐
45 hari_initrc_exec_t, rhnsd_initrc_exec_t, freeipmi_bmc_watchdog_ini‐
46 trc_exec_t, piranha_lvs_initrc_exec_t, varnishlog_initrc_exec_t,
47 nova_console_initrc_exec_t, zabbix_agent_initrc_exec_t, nova_vol‐
48 ume_initrc_exec_t, piranha_pulse_initrc_exec_t, glance_scrubber_ini‐
49 trc_exec_t, glance_registry_initrc_exec_t, nova_vncproxy_initrc_exec_t,
50 puppetmaster_initrc_exec_t, redis_initrc_exec_t, httpd_initrc_exec_t,
51 kdump_initrc_exec_t, ptp4l_initrc_exec_t, collectd_initrc_exec_t,
52 bin_t, unlabeled_t, neutron_initrc_exec_t, proc_type, dovecot_ini‐
53 trc_exec_t, zebra_initrc_exec_t, lldpad_initrc_exec_t, oracleasm_ini‐
54 trc_exec_t, freeipmi_ipmiseld_initrc_exec_t, munin_initrc_exec_t,
55 soundd_initrc_exec_t, uuidd_initrc_exec_t, postfix_initrc_exec_t, ksm‐
56 tuned_initrc_exec_t, tuned_initrc_exec_t, ctdbd_initrc_exec_t, glus‐
57 terd_initrc_exec_t, saslauthd_initrc_exec_t, postgresql_initrc_exec_t,
58 fsdaemon_initrc_exec_t, kerberos_initrc_exec_t, nova_scheduler_ini‐
59 trc_exec_t, pcp_pmproxy_initrc_exec_t, apcupsd_initrc_exec_t,
60 cupsd_initrc_exec_t, tgtd_initrc_exec_t, filesystem_type, hddtemp_ini‐
61 trc_exec_t, keystone_initrc_exec_t, rhsmcertd_initrc_exec_t,
62 rtas_errd_initrc_exec_t, svnserve_initrc_exec_t, nova_direct_ini‐
63 trc_exec_t, exim_initrc_exec_t, ftpd_initrc_exec_t, auditd_ini‐
64 trc_exec_t, pcp_pmwebd_initrc_exec_t, hypervvssd_initrc_exec_t,
65 wdmd_initrc_exec_t, shorewall_initrc_exec_t, likewise_initrc_exec_t,
66 cfengine_initrc_exec_t, swift_initrc_exec_t, initrc_exec_t, post‐
67 grey_initrc_exec_t, cinder_scheduler_initrc_exec_t, avahi_ini‐
68 trc_exec_t, nagios_initrc_exec_t, gpsd_initrc_exec_t, privoxy_ini‐
69 trc_exec_t, cgred_initrc_exec_t, mtrr_device_t, shell_exec_t, hyper‐
70 vkvp_initrc_exec_t, tor_initrc_exec_t, radvd_initrc_exec_t, abrt_ini‐
71 trc_exec_t, ipsec_initrc_exec_t, pcp_pmlogger_initrc_exec_t, pup‐
72 pet_initrc_exec_t, psad_initrc_exec_t, named_initrc_exec_t, pppd_ini‐
73 trc_exec_t, canna_initrc_exec_t, samba_initrc_exec_t, nova_ajax_ini‐
74 trc_exec_t, sysctl_type, squid_initrc_exec_t, cvs_initrc_exec_t, arp‐
75 watch_initrc_exec_t, afs_initrc_exec_t, pads_initrc_exec_t, spamd_ini‐
76 trc_exec_t, nis_initrc_exec_t, mpd_initrc_exec_t, pcp_pmcd_ini‐
77 trc_exec_t, pcp_pmie_initrc_exec_t, qpidd_initrc_exec_t, smokeping_ini‐
78 trc_exec_t, bcfg2_initrc_exec_t, rwho_initrc_exec_t, nova_cert_ini‐
79 trc_exec_t, l2tpd_initrc_exec_t, phc2sys_initrc_exec_t, portre‐
80 serve_initrc_exec_t, icecast_initrc_exec_t, rpcd_initrc_exec_t,
81 isnsd_initrc_exec_t, sensord_initrc_exec_t, openwsman_initrc_exec_t,
82 nslcd_initrc_exec_t, smsd_initrc_exec_t, slpd_initrc_exec_t, mem‐
83 cached_initrc_exec_t, NetworkManager_initrc_exec_t, cluster_ini‐
84 trc_exec_t, jabberd_initrc_exec_t, vhostmd_initrc_exec_t, certmas‐
85 ter_initrc_exec_t, bacula_initrc_exec_t, fail2ban_initrc_exec_t,
86 sssd_initrc_exec_t, timemaster_initrc_exec_t, zabbix_initrc_exec_t,
87 sshd_initrc_exec_t, nova_objectstore_initrc_exec_t, mysqld_ini‐
88 trc_exec_t, dspam_initrc_exec_t, crond_initrc_exec_t, setrans_ini‐
89 trc_exec_t, cmirrord_initrc_exec_t, cinder_volume_initrc_exec_t, ipta‐
90 bles_initrc_exec_t, sblim_initrc_exec_t, asterisk_initrc_exec_t,
91 ypbind_initrc_exec_t, clvmd_initrc_exec_t, rpcbind_initrc_exec_t,
92 dhcpc_helper_exec_t file types.
93 The default entrypoint paths for the initrc_t domain are the following:
95 All executeables with the default executable label, usually stored in
97 /usr/bin and /usr/sbin. /etc/rc.d/init.d/prelude-lml,
98 /etc/rc.d/init.d/prelude-manager, /etc/rc.d/init.d/prelude-correlator,
99 /etc/rc.d/init.d/libstoragemgmtd, /etc/rc.d/init.d/sendmail,
100 /etc/rc.d/init.d/pmmgr, /etc/rc.d/init.d/dnsmasq,
101 /etc/rc.d/init.d/ipmidetectd, /etc/rc.d/init.d/cobblerd,
102 /etc/rc.d/init.d/bitlbee, /etc/rc.d/init.d/openstack-cinder-backup, all
103 files on the system, /etc/rc.d/init.d/sanlock, /etc/rc.d/init.d/slapd,
104 /etc/rc.d/init.d/rsyslog, /etc/rc.d/init.d/ulogd,
105 /etc/rc.d/init.d/openstack-glance-api, /etc/rc.d/init.d/ntpd,
106 /etc/rc.d/init.d/openstack-cinder-api, /etc/rc.d/etc/init.d/openstack-
107 nova-network, /etc/rc.d/init.d/openvpn, /etc/rc.d/init.d/nscd,
108 /etc/rc.d/etc/init.d/openstack-nova-api, /etc/rc.d/etc/init.d/open‐
109 stack-nova-metadata-api, /etc/rc.d/init.d/dund, /etc/rc.d/init.d/pand,
110 /etc/rc.d/init.d/bluetooth, /etc/rc.d/init.d/chronyd,
111 /etc/rc.d/init.d/kerneloops, /etc/rc.d/init.d/boinc-client,
112 /etc/rc.d/init.d/nfs, /etc/rc.d/init.d/cgconfig, /etc/rc.d/init.d/deny‐
113 hosts, /etc/rc.d/init.d/mongod, /etc/rc.d/init.d/mongos,
114 /etc/rc.d/init.d/osad, /etc/rc.d/init.d/autofs,
115 /etc/rc.d/init.d/((audio-entropyd)|(haveged)),
116 /etc/rc.d/init.d/roundup, /etc/rc.d/init.d/certmonger,
117 /etc/rc.d/init.d/snortd, /etc/rc.d/init.d/snmpd,
118 /etc/rc.d/init.d/snmptrapd, /etc/rc.d/init.d/conman,
119 /etc/rc.d/init.d/ddclient, /etc/rc.d/init.d/dictd,
120 /etc/rc.d/init.d/ricci, /etc/rc.d/init.d/openhpid,
121 /etc/rc.d/init.d/luci, /etc/rc.d/init.d/aiccu, /etc/rc.d/init.d/innd,
122 /etc/rc.d/init.d/whatsup-pingd, /etc/rc.d/init.d/mysqlmanager,
123 /etc/rc.d/init.d/iwhd, /etc/rc.d/init.d/radiusd,
124 /etc/rc.d/init.d/dhcpd(6)?, /etc/rc.d/init.d/dhcrelay(6)?,
125 /etc/rc.d/init.d/lirc, /etc/rc.d/init.d/clamd.*,
126 /etc/rc.d/init.d/amavis, /etc/rc.d/init.d/amavisd-snmp,
127 /etc/rc.d/init.d/cyrus-imapd, /etc/rc.d/init.d/varnish,
128 /etc/rc.d/init.d/libvirtd, /etc/rc.d/init.d/mip6d,
129 /etc/rc.d/init.d/keepalived, /etc/rc.d/init.d/matahari-net,
130 /etc/rc.d/init.d/matahari-rpc, /etc/rc.d/init.d/matahari-host,
131 /etc/rc.d/init.d/matahari-broker, /etc/rc.d/init.d/matahari-network,
132 /etc/rc.d/init.d/matahari-service, /etc/rc.d/init.d/matahari-sysconfig,
133 /etc/rc.d/init.d/matahari-sysconfig-console, /etc/rc.d/init.d/rhnsd,
134 /etc/rc.d/init.d/bmc-watchdog, /etc/rc.d/init.d/varnishlog,
135 /etc/rc.d/init.d/varnishncsa, /etc/rc.d/etc/init.d/openstack-nova-con‐
136 sole, /etc/rc.d/etc/init.d/openstack-nova-consoleauth,
137 /etc/rc.d/init.d/zabbix-agentd, /etc/rc.d/etc/init.d/openstack-nova-
138 volume, /etc/rc.d/init.d/pulse, /etc/rc.d/init.d/openstack-glance-
139 scrubber, /etc/rc.d/init.d/openstack-glance-registry,
140 /etc/rc.d/etc/init.d/openstack-nova-xvpvncproxy, /etc/rc.d/init.d/pup‐
141 petmaster, /etc/rc.d/init.d/redis, /etc/rc.d/init.d/php-fpm.*,
142 /etc/init.d/cherokee, /etc/rc.d/init.d/httpd, /etc/rc.d/init.d/nginx,
143 /etc/rc.d/init.d/thttpd, /etc/rc.d/init.d/lighttpd,
144 /etc/rc.d/init.d/htcacheclean, /etc/rc.d/init.d/kdump,
145 /etc/rc.d/init.d/ptp4l, /etc/rc.d/init.d/collectd,
146 /etc/rc.d/init.d/quantum.*, /etc/rc.d/init.d/neutron.*,
147 /etc/rc.d/init.d/dovecot, /etc/rc.d/init.d/bgpd, /etc/rc.d/init.d/ripd,
148 /etc/rc.d/init.d/ospfd, /etc/rc.d/init.d/zebra,
149 /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/ripngd, /etc/rc.d/init.d/lld‐
150 pad, /etc/rc.d/init.d/oracleasm, /etc/rc.d/init.d/ipmiseld,
151 /etc/rc.d/init.d/munin-node, /etc/rc.d/init.d/nasd,
152 /etc/rc.d/init.d/uuidd, /etc/rc.d/init.d/postfix, /etc/rc.d/init.d/ksm‐
153 tuned, /etc/rc.d/init.d/tuned, /etc/rc.d/init.d/ktune,
154 /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd,
155 /etc/rc.d/init.d/saslauthd, /etc/rc.d/init.d/(se)?postgresql,
156 /etc/rc.d/init.d/smartd, /etc/rc.d/init.d/kprop, /etc/rc.d/init.d/kad‐
157 min, /etc/rc.d/init.d/krb524d, /etc/rc.d/init.d/krb5kdc,
158 /etc/rc.d/etc/init.d/openstack-nova-scheduler,
159 /etc/rc.d/init.d/pmproxy, /etc/rc.d/init.d/apcupsd,
160 /etc/rc.d/init.d/cups, /etc/rc.d/init.d/tgtd, /etc/rc.d/init.d/hddtemp,
161 /etc/rc.d/init.d/keystone, /etc/rc.d/init.d/rhsmcertd,
162 /etc/rc.d/init.d/rtas_errd, /etc/rc.d/init.d/svnserve,
163 /etc/rc.d/etc/init.d/openstack-nova-direct-api, /etc/rc.d/init.d/exim,
164 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd,
165 /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/pmwebd,
166 /etc/rc.d/init.d/hypervvssd, /etc/rc.d/init.d/wdmd,
167 /etc/rc.d/init.d/shorewall, /etc/rc.d/init.d/shorewall-lite,
168 /etc/rc.d/init.d/lwiod, /etc/rc.d/init.d/lwsmd,
169 /etc/rc.d/init.d/lsassd, /etc/rc.d/init.d/lwregd,
170 /etc/rc.d/init.d/dcerpcd, /etc/rc.d/init.d/srvsvcd,
171 /etc/rc.d/init.d/eventlogd, /etc/rc.d/init.d/netlogond,
172 /etc/rc.d/init.d/cf-execd, /etc/rc.d/init.d/cf-serverd,
173 /etc/rc.d/init.d/cf-monitord, /etc/rc.d/init.d/openstack-swift-proxy,
174 /etc/rc.d/init.d/openstack-swift-object-expirer, /etc/init.d/.*,
175 /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*, /usr/libexec/dcc/stop-.*,
176 /usr/libexec/dcc/start-.*, /etc/rc.d/rc, /etc/X11/prefdm,
177 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl,
178 /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty,
179 /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec,
180 /usr/share/system-config-services/system-config-services-mechanism.py,
181 /etc/rc.d/init.d/postgrey, /etc/rc.d/init.d/openstack-cinder-scheduler,
182 /etc/rc.d/init.d/avahi.*, /etc/rc.d/init.d/nrpe,
183 /etc/rc.d/init.d/nagios, /etc/rc.d/init.d/gpsd,
184 /etc/rc.d/init.d/privoxy, /etc/rc.d/init.d/cgred, /dev/cpu/mtrr,
185 /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /bin/sash, /bin/tcsh, /bin/yash,
186 /bin/mksh, /bin/fish, /bin/bash, /bin/bash2, /usr/bin/fish, /sbin/nolo‐
187 gin, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
188 /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell,
189 /usr/libexec/git-core/git-shell, /etc/rc.d/init.d/hypervkvpd,
190 /etc/rc.d/init.d/tor, /etc/rc.d/init.d/radvd, /etc/rc.d/init.d/abrt,
191 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
192 /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/pmlogger,
193 /etc/rc.d/init.d/puppet, /etc/rc.d/init.d/psad, /etc/rc.d/init.d/named,
194 /etc/rc.d/init.d/unbound, /etc/rc.d/init.d/named-sdb,
195 /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp,
196 /etc/rc.d/init.d/canna, /etc/rc.d/init.d/nmb, /etc/rc.d/init.d/smb,
197 /etc/rc.d/init.d/winbind, /etc/rc.d/init.d/squid, /etc/rc.d/init.d/cvs,
198 /etc/rc.d/init.d/arpwatch, /etc/rc.d/init.d/afs, /etc/rc.d/init.d/ope‐
199 nafs-client, /etc/rc.d/init.d/pads, /etc/rc.d/init.d/mimedefang.*,
200 /etc/rc.d/init.d/spamd, /etc/rc.d/init.d/pyzord, /etc/rc.d/init.d/spa‐
201 massassin, /etc/rc.d/init.d/ypserv, /etc/rc.d/init.d/ypxfrd,
202 /etc/rc.d/init.d/yppasswdd, /etc/rc.d/init.d/mpd,
203 /etc/rc.d/init.d/pmcd, /etc/rc.d/init.d/pmie, /etc/rc.d/init.d/qpidd,
204 /etc/rc.d/init.d/smokeping, /etc/rc.d/init.d/bcfg2,
205 /etc/rc.d/init.d/rwhod, /etc/rc.d/etc/init.d/openstack-nova-cert,
206 /etc/rc.d/init.d/xl2tpd, /etc/rc.d/init.d/prol2tpd,
207 /etc/rc.d/init.d/openl2tpd, /etc/rc.d/init.d/phc2sys,
208 /etc/rc.d/init.d/portreserve, /etc/rc.d/init.d/icecast,
209 /etc/rc.d/init.d/nfslock, /etc/rc.d/init.d/rpcidmapd,
210 /etc/rc.d/init.d/isnsd, /etc/rc.d/init.d/sensord,
211 /etc/rc.d/init.d/openwsmand, /etc/rc.d/init.d/nslcd,
212 /etc/rc.d/init.d/((smsd)|(smstools)), /etc/rc.d/init.d/slpd,
213 /etc/rc.d/init.d/memcached, /etc/NetworkManager/dispatcher.d(/.*)?,
214 /etc/rc.d/init.d/wicd, /usr/libexec/nm-dispatcher.action,
215 /etc/rc.d/init.d/openais, /etc/rc.d/init.d/cpglockd,
216 /etc/rc.d/init.d/corosync, /etc/rc.d/init.d/rgmanager,
217 /etc/rc.d/init.d/heartbeat, /etc/rc.d/init.d/pacemaker,
218 /etc/rc.d/init.d/jabber, /etc/rc.d/init.d/vhostmd,
219 /etc/rc.d/init.d/certmaster, /etc/rc.d/init.d/bacula.*,
220 /etc/rc.d/init.d/fail2ban, /etc/rc.d/init.d/sssd,
221 /etc/rc.d/init.d/timemaster, /etc/rc.d/init.d/zabbix,
222 /etc/rc.d/init.d/sshd, /etc/rc.d/etc/init.d/openstack-nova-objectstore,
223 /etc/rc.d/init.d/mysqld, /etc/rc.d/init.d/dspam, /etc/rc.d/init.d/atd,
224 /etc/rc.d/init.d/mcstrans, /etc/rc.d/init.d/cmirrord,
225 /etc/rc.d/init.d/openstack-cinder-volume, /etc/rc.d/init.d/ip6?tables,
226 /etc/rc.d/init.d/gatherer, /etc/rc.d/init.d/sblim-sfcbd,
227 /etc/rc.d/init.d/asterisk, /etc/rc.d/init.d/ypbind,
228 /etc/rc.d/init.d/rpcbind, /etc/firestarter/firestarter.sh
229
231 SELinux defines process types (domains) for each process running on the
232 system
233 You can see the context of a process using the -Z option to ps
235 Policy governs the access confined processes have to files. SELinux
237 initrc policy is very flexible allowing users to setup their initrc
238 processes in as secure a method as possible.
239 The following process types are defined for initrc:
241 initrc_t
243 Note: semanage permissive -a initrc_t can be used to make the process
245 type initrc_t permissive. SELinux does not deny access to permissive
246 process types, but the AVC (SELinux denials) messages are still gener‐
247 ated.
248
251 SELinux policy is customizable based on least access required. initrc
252 policy is extremely flexible and has several booleans that allow you to
253 manipulate the policy and run initrc with the tightest access possible.
254 If you want to allow all domains to use other domains file descriptors,
258 you must turn on the allow_domain_fd_use boolean. Enabled by default.
259 setsebool -P allow_domain_fd_use 1
261 If you want to allow unconfined executables to make their heap memory
265 executable. Doing this is a really bad idea. Probably indicates a
266 badly coded executable, but could indicate an attack. This executable
267 should be reported in bugzilla, you must turn on the allow_execheap
268 boolean. Disabled by default.
269 setsebool -P allow_execheap 1
271 If you want to allow unconfined executables to map a memory region as
275 both executable and writable, this is dangerous and the executable
276 should be reported in bugzilla), you must turn on the allow_execmem
277 boolean. Enabled by default.
278 setsebool -P allow_execmem 1
280 If you want to allow all unconfined executables to use libraries
284 requiring text relocation that are not labeled textrel_shlib_t), you
285 must turn on the allow_execmod boolean. Enabled by default.
286 setsebool -P allow_execmod 1
288 If you want to allow unconfined executables to make their stack exe‐
292 cutable. This should never, ever be necessary. Probably indicates a
293 badly coded executable, but could indicate an attack. This executable
294 should be reported in bugzilla), you must turn on the allow_execstack
295 boolean. Enabled by default.
296 setsebool -P allow_execstack 1
298 If you want to allow confined applications to run with kerberos, you
302 must turn on the allow_kerberos boolean. Enabled by default.
303 setsebool -P allow_kerberos 1
305 If you want to allow sysadm to debug or ptrace all processes, you must
309 turn on the allow_ptrace boolean. Disabled by default.
310 setsebool -P allow_ptrace 1
312 If you want to allow system to run with NIS, you must turn on the
316 allow_ypbind boolean. Disabled by default.
317 setsebool -P allow_ypbind 1
319 If you want to allow all domains to have the kernel load modules, you
323 must turn on the domain_kernel_load_modules boolean. Disabled by
324 default.
325 setsebool -P domain_kernel_load_modules 1
327 If you want to allow all domains to execute in fips_mode, you must turn
331 on the fips_mode boolean. Enabled by default.
332 setsebool -P fips_mode 1
334 If you want to enable reading of urandom for all domains, you must turn
338 on the global_ssp boolean. Disabled by default.
339 setsebool -P global_ssp 1
341 If you want to enable support for upstart as the init program, you must
345 turn on the init_upstart boolean. Enabled by default.
346 setsebool -P init_upstart 1
348 If you want to allow certain domains to map low memory in the kernel,
352 you must turn on the mmap_low_allowed boolean. Disabled by default.
353 setsebool -P mmap_low_allowed 1
355 If you want to allow confined applications to use nscd shared memory,
359 you must turn on the nscd_use_shm boolean. Enabled by default.
360 setsebool -P nscd_use_shm 1
362 If you want to allow rsync to run as a server, you must turn on the
366 rsync_server boolean. Disabled by default.
367 setsebool -P rsync_server 1
369 If you want to disable transitions to insmod, you must turn on the
373 secure_mode_insmod boolean. Disabled by default.
374 setsebool -P secure_mode_insmod 1
376 If you want to boolean to determine whether the system permits loading
380 policy, setting enforcing mode, and changing boolean values. Set this
381 to true and you have to reboot to set it back, you must turn on the
382 secure_mode_policyload boolean. Disabled by default.
383 setsebool -P secure_mode_policyload 1
385 If you want to support X userspace object manager, you must turn on the
389 xserver_object_manager boolean. Disabled by default.
390 setsebool -P xserver_object_manager 1
392
396 The SELinux process type initrc_t can manage files labeled with the
397 following file types. The paths listed are the default paths for these
398 file types. Note the processes UID still need to have DAC permissions.
399 file_type
401 all files on the system
403
406 SELinux requires files to have an extended attribute to define the file
407 type.
408 You can see the context of a file using the -Z option to ls
410 Policy governs the access confined processes have to these files.
412 SELinux initrc policy is very flexible allowing users to setup their
413 initrc processes in as secure a method as possible.
414 STANDARD FILE CONTEXT
416 SELinux defines the file context types for the initrc, if you wanted to
418 store files with these types in a diffent paths, you need to execute
419 the semanage command to sepecify alternate labeling and then use
420 restorecon to put the labels on disk.
421 semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
423 restorecon -R -v /srv/myinitrc_content
424 Note: SELinux often uses regular expressions to specify labels that
426 match multiple files.
427 The following file types are defined for initrc:
429 initrc_devpts_t
433 - Set files with the initrc_devpts_t type, if you want to treat the
435 files as initrc devpts data.
436 initrc_exec_t
440 - Set files with the initrc_exec_t type, if you want to transition an
442 executable to the initrc_t domain.
443 Paths:
446 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
447 /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /etc/rc.d/rc,
448 /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl,
449 /usr/sbin/apachectl, /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv,
450 /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
451 fig/network-scripts/ifup-ipsec, /usr/share/system-config-ser‐
452 vices/system-config-services-mechanism.py
453 initrc_state_t
456 - Set files with the initrc_state_t type, if you want to treat the
458 files as initrc state data.
459 initrc_tmp_t
463 - Set files with the initrc_tmp_t type, if you want to store initrc
465 temporary files in the /tmp directories.
466 initrc_var_run_t
470 - Set files with the initrc_var_run_t type, if you want to store the
472 initrc files under the /run or /var/run directory.
473 Paths:
476 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
477 /var/run/setmixer_flag
478 Note: File context can be temporarily modified with the chcon command.
481 If you want to permanently change the file context you need to use the
482 semanage fcontext command. This will modify the SELinux labeling data‐
483 base. You will need to use restorecon to apply the labels.
484
487 semanage fcontext can also be used to manipulate default file context
488 mappings.
489 semanage permissive can also be used to manipulate whether or not a
491 process type is permissive.
492 semanage module can also be used to enable/disable/install/remove pol‐
494 icy modules.
495 semanage boolean can also be used to manipulate the booleans
497 system-config-selinux is a GUI tool available to customize SELinux pol‐
500 icy settings.
501
504 This manual page was auto-generated using sepolicy manpage .
505
508 selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1) , setse‐
509 bool(8)
510initrc 15-06-03 initrc_selinux(8)