1namespace_init_selinux(8)SELinux Policy namespace_initnamespace_init_selinux(8)
2
3
4

NAME

6       namespace_init_selinux  - Security Enhanced Linux Policy for the names‐
7       pace_init processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the namespace_init processes via flexi‐
11       ble mandatory access control.
12
13       The  namespace_init processes execute with the namespace_init_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep namespace_init_t
20
21
22

ENTRYPOINTS

24       The  namespace_init_t  SELinux  type  can  be  entered  via  the names‐
25       pace_init_exec_t file type.
26
27       The default entrypoint paths for the namespace_init_t  domain  are  the
28       following:
29
30       /etc/security/namespace.init
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       namespace_init  policy  is  very flexible allowing users to setup their
40       namespace_init processes in as secure a method as possible.
41
42       The following process types are defined for namespace_init:
43
44       namespace_init_t
45
46       Note: semanage permissive -a namespace_init_t can be used to  make  the
47       process  type namespace_init_t permissive. SELinux does not deny access
48       to permissive process types, but the AVC (SELinux denials) messages are
49       still generated.
50
51

BOOLEANS

53       SELinux  policy is customizable based on least access required.  names‐
54       pace_init policy is extremely flexible and has  several  booleans  that
55       allow  you  to  manipulate  the  policy and run namespace_init with the
56       tightest access possible.
57
58
59
60       If you want to allow all daemons the ability to  read/write  terminals,
61       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
62       default.
63
64       setsebool -P allow_daemons_use_tty 1
65
66
67
68       If you want to allow all domains to use other domains file descriptors,
69       you must turn on the allow_domain_fd_use boolean. Enabled by default.
70
71       setsebool -P allow_domain_fd_use 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the allow_kerberos boolean. Enabled by default.
77
78       setsebool -P allow_kerberos 1
79
80
81
82       If you want to enable polyinstantiated directory support, you must turn
83       on the allow_polyinstantiation boolean. Enabled by default.
84
85       setsebool -P allow_polyinstantiation 1
86
87
88
89       If  you want to allow sysadm to debug or ptrace all processes, you must
90       turn on the allow_ptrace boolean. Disabled by default.
91
92       setsebool -P allow_ptrace 1
93
94
95
96       If you want to allow system to run with  NIS,  you  must  turn  on  the
97       allow_ypbind boolean. Disabled by default.
98
99       setsebool -P allow_ypbind 1
100
101
102
103       If  you  want to allow all domains to have the kernel load modules, you
104       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
105       default.
106
107       setsebool -P domain_kernel_load_modules 1
108
109
110
111       If you want to allow all domains to execute in fips_mode, you must turn
112       on the fips_mode boolean. Enabled by default.
113
114       setsebool -P fips_mode 1
115
116
117
118       If you want to enable reading of urandom for all domains, you must turn
119       on the global_ssp boolean. Disabled by default.
120
121       setsebool -P global_ssp 1
122
123
124
125       If  you  want to allow confined applications to use nscd shared memory,
126       you must turn on the nscd_use_shm boolean. Enabled by default.
127
128       setsebool -P nscd_use_shm 1
129
130
131

MANAGED FILES

133       The SELinux process type namespace_init_t can manage files labeled with
134       the  following  file types.  The paths listed are the default paths for
135       these file types.  Note the processes UID still need to have  DAC  per‐
136       missions.
137
138       initrc_tmp_t
139
140
141       mnt_t
142
143            /mnt(/[^/]*)
144            /mnt(/[^/]*)?
145            /rhev(/[^/]*)?
146            /media(/[^/]*)
147            /media(/[^/]*)?
148            /etc/rhgb(/.*)?
149            /media/.hal-.*
150            /net
151            /afs
152            /rhev
153            /misc
154
155       security_t
156
157
158       tmp_t
159
160            /tmp
161            /usr/tmp
162            /var/tmp
163            /tmp-inst
164            /var/tmp-inst
165            /var/tmp/vi.recover
166
167       user_home_t
168
169            /home/[^/]*/.+
170            /home/staff/.+
171
172

FILE CONTEXTS

174       SELinux requires files to have an extended attribute to define the file
175       type.
176
177       You can see the context of a file using the -Z option to ls
178
179       Policy governs the access  confined  processes  have  to  these  files.
180       SELinux  namespace_init policy is very flexible allowing users to setup
181       their namespace_init processes in as secure a method as possible.
182
183       The following file types are defined for namespace_init:
184
185
186
187       namespace_init_exec_t
188
189       - Set files with the namespace_init_exec_t type, if you want to transi‐
190       tion an executable to the namespace_init_t domain.
191
192
193
194       Note:  File context can be temporarily modified with the chcon command.
195       If you want to permanently change the file context you need to use  the
196       semanage fcontext command.  This will modify the SELinux labeling data‐
197       base.  You will need to use restorecon to apply the labels.
198
199

COMMANDS

201       semanage fcontext can also be used to manipulate default  file  context
202       mappings.
203
204       semanage  permissive  can  also  be used to manipulate whether or not a
205       process type is permissive.
206
207       semanage module can also be used to enable/disable/install/remove  pol‐
208       icy modules.
209
210       semanage boolean can also be used to manipulate the booleans
211
212
213       system-config-selinux is a GUI tool available to customize SELinux pol‐
214       icy settings.
215
216

AUTHOR

218       This manual page was auto-generated using sepolicy manpage .
219
220

SEE ALSO

222       selinux(8), namespace_init(8), semanage(8), restorecon(8),  chcon(1)  ,
223       setsebool(8)
224
225
226
227namespace_init                     15-06-03          namespace_init_selinux(8)
Impressum