1initrc_selinux(8) SELinux Policy initrc initrc_selinux(8)
2
6 initrc_selinux - Security Enhanced Linux Policy for the initrc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the initrc processes via flexible
11 mandatory access control.
12 The initrc processes execute with the initrc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep initrc_t
20
24 The initrc_t SELinux type can be entered via the osad_initrc_exec_t,
25 ctdbd_initrc_exec_t, mcelog_initrc_exec_t, bin_t, portreserve_ini‐
26 trc_exec_t, squid_initrc_exec_t, varnishlog_initrc_exec_t, isnsd_ini‐
27 trc_exec_t, iptables_initrc_exec_t, foghorn_initrc_exec_t,
28 pki_tps_script_exec_t, collectd_initrc_exec_t, firewalld_initrc_exec_t,
29 memcached_initrc_exec_t, wdmd_initrc_exec_t, ccs_initrc_exec_t,
30 ftpd_initrc_exec_t, fcoemon_initrc_exec_t, virtd_initrc_exec_t, fetch‐
31 mail_initrc_exec_t, cluster_initrc_exec_t, radvd_initrc_exec_t,
32 iwhd_initrc_exec_t, innd_initrc_exec_t, shell_exec_t, nfsd_ini‐
33 trc_exec_t, svnserve_initrc_exec_t, privoxy_initrc_exec_t, cpuplug_ini‐
34 trc_exec_t, rhsmcertd_initrc_exec_t, openct_initrc_exec_t, cob‐
35 blerd_initrc_exec_t, clvmd_initrc_exec_t, puppetmaster_initrc_exec_t,
36 openvpn_initrc_exec_t, pcscd_initrc_exec_t, denyhosts_initrc_exec_t,
37 uucpd_initrc_exec_t, polipo_initrc_exec_t, qpidd_initrc_exec_t, arp‐
38 watch_initrc_exec_t, mon_statd_initrc_exec_t, ddclient_initrc_exec_t,
39 cfengine_initrc_exec_t, sblim_initrc_exec_t, cgred_initrc_exec_t,
40 rhnsd_initrc_exec_t, cgconfig_initrc_exec_t, dlm_controld_ini‐
41 trc_exec_t, blkmapd_initrc_exec_t, crond_initrc_exec_t, bitlbee_ini‐
42 trc_exec_t, icecast_initrc_exec_t, bluetooth_initrc_exec_t, dspam_ini‐
43 trc_exec_t, httpd_initrc_exec_t, postgresql_initrc_exec_t, kdump_ini‐
44 trc_exec_t, drbd_initrc_exec_t, asterisk_initrc_exec_t, sysstat_ini‐
45 trc_exec_t, mpd_initrc_exec_t, certmonger_initrc_exec_t, ipsec_ini‐
46 trc_exec_t, kerberos_initrc_exec_t, pingd_initrc_exec_t,
47 pcp_pmproxy_initrc_exec_t, fail2ban_initrc_exec_t, setrans_ini‐
48 trc_exec_t, nagios_initrc_exec_t, nscd_initrc_exec_t, hddtemp_ini‐
49 trc_exec_t, glance_api_initrc_exec_t, dhcpc_helper_exec_t, mysqlman‐
50 agerd_initrc_exec_t, soundd_initrc_exec_t, rwho_initrc_exec_t,
51 pki_ra_script_exec_t, zabbix_initrc_exec_t, psad_initrc_exec_t, shore‐
52 wall_initrc_exec_t, tor_initrc_exec_t, glusterd_initrc_exec_t,
53 lircd_initrc_exec_t, ksmtuned_initrc_exec_t, boinc_initrc_exec_t, like‐
54 wise_initrc_exec_t, rpcbind_initrc_exec_t, slapd_initrc_exec_t, ora‐
55 cleasm_initrc_exec_t, l2tpd_initrc_exec_t, sanlock_initrc_exec_t,
56 mysqld_initrc_exec_t, rpcd_initrc_exec_t, vdagentd_initrc_exec_t, zab‐
57 bix_agent_initrc_exec_t, avahi_initrc_exec_t, ntop_initrc_exec_t, auto‐
58 mount_initrc_exec_t, cmirrord_initrc_exec_t, pcp_pmcd_initrc_exec_t,
59 uuidd_initrc_exec_t, glance_scrubber_initrc_exec_t, ntpd_initrc_exec_t,
60 pcp_pmmgr_initrc_exec_t, dictd_initrc_exec_t, smsd_initrc_exec_t,
61 slpd_initrc_exec_t, dhcpd_initrc_exec_t, pkcs_slotd_initrc_exec_t,
62 postgrey_initrc_exec_t, aiccu_initrc_exec_t, amtu_initrc_exec_t, virt‐
63 logd_initrc_exec_t, apcupsd_initrc_exec_t, roundup_initrc_exec_t,
64 gpsd_initrc_exec_t, rabbitmq_initrc_exec_t, abrt_initrc_exec_t,
65 radiusd_initrc_exec_t, ricci_initrc_exec_t, NetworkManager_ini‐
66 trc_exec_t, nis_initrc_exec_t, lldpad_initrc_exec_t, bcfg2_ini‐
67 trc_exec_t, fsdaemon_initrc_exec_t, exim_initrc_exec_t, gdomap_ini‐
68 trc_exec_t, named_initrc_exec_t, mscan_initrc_exec_t, vnstatd_ini‐
69 trc_exec_t, acct_initrc_exec_t, neutron_initrc_exec_t, snmpd_ini‐
70 trc_exec_t, callweaver_initrc_exec_t, pads_initrc_exec_t, watchdog_ini‐
71 trc_exec_t, snort_initrc_exec_t, couchdb_initrc_exec_t, sshd_ini‐
72 trc_exec_t, varnishd_initrc_exec_t, munin_initrc_exec_t, redis_ini‐
73 trc_exec_t, tcsd_initrc_exec_t, ajaxterm_initrc_exec_t, gpm_ini‐
74 trc_exec_t, tuned_initrc_exec_t, cyrus_initrc_exec_t, saslauthd_ini‐
75 trc_exec_t, glance_registry_initrc_exec_t, entropyd_initrc_exec_t,
76 afs_initrc_exec_t, portmap_initrc_exec_t, zoneminder_initrc_exec_t,
77 minissdpd_initrc_exec_t, smokeping_initrc_exec_t, dovecot_ini‐
78 trc_exec_t, initrc_exec_t, ulogd_initrc_exec_t, condor_initrc_exec_t,
79 nslcd_initrc_exec_t, certmaster_initrc_exec_t, irqbalance_ini‐
80 trc_exec_t, piranha_pulse_initrc_exec_t, mdadm_initrc_exec_t, pppd_ini‐
81 trc_exec_t, sensord_initrc_exec_t, kismet_initrc_exec_t, sssd_ini‐
82 trc_exec_t, auditd_initrc_exec_t, cupsd_initrc_exec_t, postfix_ini‐
83 trc_exec_t, vhostmd_initrc_exec_t, ciped_initrc_exec_t, jabberd_ini‐
84 trc_exec_t, sendmail_initrc_exec_t, spamd_initrc_exec_t, cvs_ini‐
85 trc_exec_t, cyphesis_initrc_exec_t, puppetagent_initrc_exec_t, mon‐
86 god_initrc_exec_t, pcp_pmie_initrc_exec_t, chronyd_initrc_exec_t,
87 samba_initrc_exec_t, usr_t, zebra_initrc_exec_t, ypbind_initrc_exec_t,
88 apmd_initrc_exec_t, hypervkvp_initrc_exec_t, dnsmasq_initrc_exec_t,
89 mrtg_initrc_exec_t, pcp_pmlogger_initrc_exec_t, canna_initrc_exec_t,
90 bacula_initrc_exec_t, minidlna_initrc_exec_t, rtkit_daemon_ini‐
91 trc_exec_t, prelude_initrc_exec_t, keystone_initrc_exec_t,
92 pcp_pmwebd_initrc_exec_t, rngd_initrc_exec_t, antivirus_initrc_exec_t,
93 tgtd_initrc_exec_t, iodined_initrc_exec_t, openhpid_initrc_exec_t, sys‐
94 logd_initrc_exec_t file types.
95 The default entrypoint paths for the initrc_t domain are the following:
97 All executeables with the default executable label, usually stored in
99 /usr/bin and /usr/sbin. /etc/rc.d/init.d/osad, /etc/rc.d/init.d/ctdb,
100 /etc/rc.d/init.d/mcelog, /etc/rc.d/init.d/portreserve,
101 /etc/rc.d/init.d/squid, /etc/rc.d/init.d/varnishlog,
102 /etc/rc.d/init.d/varnishncsa, /etc/rc.d/init.d/isnsd,
103 /etc/rc.d/init.d/ip6?tables, /etc/rc.d/init.d/ebtables,
104 /etc/rc.d/init.d/collectd, /etc/rc.d/init.d/firewalld,
105 /etc/rc.d/init.d/memcached, /etc/rc.d/init.d/wdmd,
106 /etc/rc.d/init.d/((ccs)|(ccsd)), /etc/rc.d/init.d/vsftpd,
107 /etc/rc.d/init.d/proftpd, /etc/rc.d/init.d/fcoe, /etc/rc.d/init.d/lib‐
108 virtd, /etc/rc.d/init.d/fetchmail, /etc/rc.d/init.d/openais,
109 /etc/rc.d/init.d/cpglockd, /etc/rc.d/init.d/corosync,
110 /etc/rc.d/init.d/rgmanager, /etc/rc.d/init.d/heartbeat,
111 /etc/rc.d/init.d/pacemaker, /etc/rc.d/init.d/radvd,
112 /etc/rc.d/init.d/iwhd, /etc/rc.d/init.d/innd, /bin/d?ash, /bin/zsh.*,
113 /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh,
114 /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish,
115 /bin/bash2, /usr/bin/esh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
116 /usr/bin/mksh, /usr/bin/fish, /usr/bin/bash, /sbin/nologin,
117 /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly,
118 /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-
119 shell, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
120 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell,
121 /etc/rc.d/init.d/nfs, /etc/rc.d/init.d/svnserve,
122 /etc/rc.d/init.d/privoxy, /etc/rc.d/init.d/cpuplugd,
123 /etc/rc.d/init.d/rhsmcertd, /etc/rc.d/init.d/openct,
124 /etc/rc.d/init.d/cobblerd, /etc/rc.d/init.d/puppetmaster,
125 /etc/rc.d/init.d/openvpn, /etc/rc.d/init.d/pcscd,
126 /etc/rc.d/init.d/denyhosts, /etc/rc.d/init.d/uucp,
127 /etc/rc.d/init.d/polipo, /etc/rc.d/init.d/qpidd, /etc/rc.d/init.d/arp‐
128 watch, /etc/rc.d/init.d/mon_statd, /etc/rc.d/init.d/ddclient,
129 /etc/rc.d/init.d/((cf-serverd)|(cf-monitord)|(cf-execd)),
130 /etc/rc.d/init.d/gatherer, /etc/rc.d/init.d/sblim-sfcbd,
131 /etc/rc.d/init.d/cgred, /etc/rc.d/init.d/rhnsd, /etc/rc.d/init.d/cgcon‐
132 fig, /etc/rc.d/init.d/blkmapd, /etc/rc.d/init.d/atd,
133 /etc/rc.d/init.d/bitlbee, /etc/rc.d/init.d/icecast,
134 /etc/rc.d/init.d/dund, /etc/rc.d/init.d/pand, /etc/rc.d/init.d/blue‐
135 tooth, /etc/rc.d/init.d/dspam, /etc/init.d/cherokee,
136 /etc/rc.d/init.d/httpd, /etc/rc.d/init.d/lighttpd,
137 /etc/rc.d/init.d/(se)?postgresql, /etc/rc.d/init.d/kdump,
138 /etc/rc.d/init.d/drbd, /etc/rc.d/init.d/asterisk, /etc/rc.d/init.d/sys‐
139 stat, /etc/rc.d/init.d/mpd, /etc/rc.d/init.d/certmonger,
140 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
141 /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/kprop,
142 /etc/rc.d/init.d/kadmind, /etc/rc.d/init.d/krb524d,
143 /etc/rc.d/init.d/krb5kdc, /etc/rc.d/init.d/whatsup-pingd,
144 /etc/rc.d/init.d/pmproxy, /etc/rc.d/init.d/fail2ban,
145 /etc/rc.d/init.d/mcstrans, /etc/rc.d/init.d/nrpe,
146 /etc/rc.d/init.d/nagios, /etc/rc.d/init.d/nscd,
147 /etc/rc.d/init.d/hddtemp, /etc/rc.d/init.d/openstack-glance-api,
148 /etc/firestarter/firestarter.sh, /etc/rc.d/init.d/mysqlmanager,
149 /etc/rc.d/init.d/nasd, /etc/rc.d/init.d/rwhod, /etc/rc.d/init.d/(zab‐
150 bix|zabbix-server), /etc/rc.d/init.d/psad, /etc/rc.d/init.d/shore‐
151 wall.*, /etc/rc.d/init.d/tor, /etc/rc.d/init.d/gluster.*,
152 /usr/sbin/glusterd, /etc/rc.d/init.d/lirc, /etc/rc.d/init.d/ksmtuned,
153 /etc/rc.d/init.d/boinc-client, /etc/rc.d/init.d/lwiod,
154 /etc/rc.d/init.d/lwsmd, /etc/rc.d/init.d/lsassd,
155 /etc/rc.d/init.d/lwregd, /etc/rc.d/init.d/dcerpcd,
156 /etc/rc.d/init.d/srvsvcd, /etc/rc.d/init.d/likewise,
157 /etc/rc.d/init.d/eventlogd, /etc/rc.d/init.d/netlogond,
158 /etc/rc.d/init.d/rpcbind, /etc/rc.d/init.d/slapd, /etc/rc.d/init.d/ora‐
159 cleasm, /etc/rc.d/init.d/.*l2tpd, /etc/rc.d/init.d/sanlock,
160 /etc/rc.d/init.d/mysqld, /etc/rc.d/init.d/nfslock,
161 /etc/rc.d/init.d/rpcidmapd, /etc/rc.d/init.d/spice-vdagentd,
162 /etc/rc.d/init.d/zabbix-agentd, /etc/rc.d/init.d/avahi.*,
163 /etc/rc.d/init.d/ntop, /etc/rc.d/init.d/autofs, /etc/rc.d/init.d/cmir‐
164 rord, /etc/rc.d/init.d/pmcd, /etc/rc.d/init.d/uuidd,
165 /etc/rc.d/init.d/openstack-glance-scrubber, /etc/rc.d/init.d/ntpd,
166 /etc/rc.d/init.d/pmmgr, /etc/rc.d/init.d/dictd, /etc/rc.d/init.d/smsd,
167 /etc/rc.d/init.d/slpd, /etc/rc.d/init.d/dhcpd(6)?,
168 /etc/rc.d/init.d/dhcrelay(6)?, /etc/rc.d/init.d/pkcsslotd,
169 /etc/rc.d/init.d/postgrey, /etc/rc.d/init.d/aiccu,
170 /etc/rc.d/init.d/amtu, /etc/rc.d/init.d/virtlogd,
171 /etc/rc.d/init.d/apcupsd, /etc/rc.d/init.d/roundup,
172 /etc/rc.d/init.d/gpsd, /etc/rc.d/init.d/rabbitmq-server,
173 /etc/rc.d/init.d/abrt, /etc/rc.d/init.d/radiusd,
174 /etc/rc.d/init.d/ricci, /etc/NetworkManager/dispatcher.d(/.*)?,
175 /etc/rc.d/init.d/wicd, /etc/rc.d/init.d/ypserv,
176 /etc/rc.d/init.d/ypxfrd, /etc/rc.d/init.d/yppasswd,
177 /etc/rc.d/init.d/lldpad, /etc/rc.d/init.d/bcfg2-server,
178 /etc/rc.d/init.d/(smartd|smartmontools), /etc/rc.d/init.d/exim,
179 /etc/rc.d/init.d/gdomap, /etc/rc.d/init.d/named,
180 /etc/rc.d/init.d/unbound, /etc/rc.d/init.d/named-sdb,
181 /etc/rc.d/init.d/MailScanner, /etc/rc.d/init.d/vnstat,
182 /etc/rc.d/init.d/psacct, /etc/rc.d/init.d/neutron.*,
183 /etc/rc.d/init.d/quantum.*, /etc/rc.d/init.d/(snmpd|snmptrapd),
184 /etc/rc.d/init.d/callweaver, /etc/rc.d/init.d/pads,
185 /etc/rc.d/init.d/watchdog, /etc/rc.d/init.d/snortd,
186 /etc/rc.d/init.d/couchdb, /etc/rc.d/init.d/sshd, /etc/rc.d/init.d/var‐
187 nish, /etc/rc.d/init.d/munin-node, /etc/rc.d/init.d/redis,
188 /etc/rc.d/init.d/(tcsd|trousers), /etc/rc.d/init.d/ajaxterm,
189 /etc/rc.d/init.d/gpm, /etc/rc.d/init.d/tuned, /etc/rc.d/init.d/cyrus.*,
190 /etc/rc.d/init.d/sasl, /etc/rc.d/init.d/openstack-glance-registry,
191 /etc/rc.d/init.d/((audio-entropyd)|(haveged)),
192 /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client,
193 /etc/rc.d/init.d/portmap, /etc/rc.d/init.d/zoneminder,
194 /etc/rc.d/init.d/minissdpd, /etc/rc.d/init.d/smokeping,
195 /etc/rc.d/init.d/dovecot, /etc/init.d/.*, /etc/rc.d/rc.[^/]+,
196 /etc/rc.d/init.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/lib/sys‐
197 temd/rhel[^/]*, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*,
198 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
199 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl,
200 /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-
201 dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-
202 config-services/system-config-services-mechanism.py,
203 /etc/rc.d/init.d/ulogd, /etc/rc.d/init.d/condor,
204 /etc/rc.d/init.d/nslcd, /etc/rc.d/init.d/certmaster,
205 /etc/rc.d/init.d/irqbalance, /etc/rc.d/init.d/pulse,
206 /etc/rc.d/init.d/mdmonitor, /etc/ppp/(auth|ip(v6|x)?)-(up|down),
207 /etc/rc.d/init.d/ppp, /etc/rc.d/init.d/sensord,
208 /etc/rc.d/init.d/kismet.*, /etc/rc.d/init.d/sssd,
209 /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/cups, /etc/rc.d/init.d/post‐
210 fix, /etc/rc.d/init.d/vhostmd, /etc/rc.d/init.d/ciped.*,
211 /etc/rc.d/init.d/jabberd, /etc/rc.d/init.d/sendmail,
212 /etc/rc.d/init.d/mimedefang.*, /etc/rc.d/init.d/spamd,
213 /etc/rc.d/init.d/spampd, /etc/rc.d/init.d/pyzord, /etc/rc.d/init.d/cvs,
214 /etc/rc.d/init.d/cyphesis, /etc/rc.d/init.d/puppet,
215 /etc/rc.d/init.d/mongod, /etc/rc.d/init.d/mongos,
216 /etc/rc.d/init.d/pmie, /etc/rc.d/init.d/chronyd, /etc/rc.d/init.d/nmb,
217 /etc/rc.d/init.d/smb, /etc/rc.d/init.d/winbind, /usr/.*, /opt/.*,
218 /emul/.*, /ostree(/.*)?, /export(/.*)?, /usr/doc(/.*)?/lib(/.*)?,
219 /usr/inclu.e(/.*)?, /usr/share/doc(/.*)?/README.*, /usr, /opt, /emul,
220 /etc/rc.d/init.d/bgpd, /etc/rc.d/init.d/ripd, /etc/rc.d/init.d/ospfd,
221 /etc/rc.d/init.d/zebra, /etc/rc.d/init.d/isisd,
222 /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/ripngd,
223 /etc/rc.d/init.d/babeld, /etc/rc.d/init.d/ypbind,
224 /etc/rc.d/init.d/acpid, /etc/rc.d/init.d/hypervkvpd,
225 /etc/rc.d/init.d/dnsmasq, /etc/rc.d/init.d/mrtg,
226 /etc/rc.d/init.d/pmlogger, /etc/rc.d/init.d/canna,
227 /etc/rc.d/init.d/bacula.*, /etc/rc.d/init.d/minidlna,
228 /etc/rc.d/init.d/rtkit-daemon, /etc/rc.d/init.d/prelude-lml,
229 /etc/rc.d/init.d/prelude-manager, /etc/rc.d/init.d/prelude-correlator,
230 /etc/rc.d/init.d/openstack-keystone, /etc/rc.d/init.d/pmwebd,
231 /etc/rc.d/init.d/rngd, /etc/rc.d/init.d/clamd.*,
232 /etc/rc.d/init.d/amavis, /etc/rc.d/init.d/amavisd-snmp,
233 /etc/rc.d/init.d/tgtd, /etc/rc.d/init.d/((iodined)|(iodine-server)),
234 /etc/rc.d/init.d/openhpid, /etc/rc.d/init.d/rsyslog
235
237 SELinux defines process types (domains) for each process running on the
238 system
239 You can see the context of a process using the -Z option to ps
241 Policy governs the access confined processes have to files. SELinux
243 initrc policy is very flexible allowing users to setup their initrc
244 processes in as secure a method as possible.
245 The following process types are defined for initrc:
247 initrc_t
249 Note: semanage permissive -a initrc_t can be used to make the process
251 type initrc_t permissive. SELinux does not deny access to permissive
252 process types, but the AVC (SELinux denials) messages are still gener‐
253 ated.
254
257 SELinux policy is customizable based on least access required. initrc
258 policy is extremely flexible and has several booleans that allow you to
259 manipulate the policy and run initrc with the tightest access possible.
260 If you want to allow users to resolve user passwd entries directly from
264 ldap rather then using a sssd server, you must turn on the authlo‐
265 gin_nsswitch_use_ldap boolean. Disabled by default.
266 setsebool -P authlogin_nsswitch_use_ldap 1
268 If you want to deny user domains applications to map a memory region as
272 both executable and writable, this is dangerous and the executable
273 should be reported in bugzilla, you must turn on the deny_execmem bool‐
274 ean. Enabled by default.
275 setsebool -P deny_execmem 1
277 If you want to deny any process from ptracing or debugging any other
281 processes, you must turn on the deny_ptrace boolean. Enabled by
282 default.
283 setsebool -P deny_ptrace 1
285 If you want to allow any process to mmap any file on system with
289 attribute file_type, you must turn on the domain_can_mmap_files bool‐
290 ean. Enabled by default.
291 setsebool -P domain_can_mmap_files 1
293 If you want to allow all domains write to kmsg_device, while kernel is
297 executed with systemd.log_target=kmsg parameter, you must turn on the
298 domain_can_write_kmsg boolean. Disabled by default.
299 setsebool -P domain_can_write_kmsg 1
301 If you want to allow all domains to use other domains file descriptors,
305 you must turn on the domain_fd_use boolean. Enabled by default.
306 setsebool -P domain_fd_use 1
308 If you want to allow all domains to have the kernel load modules, you
312 must turn on the domain_kernel_load_modules boolean. Disabled by
313 default.
314 setsebool -P domain_kernel_load_modules 1
316 If you want to allow all domains to execute in fips_mode, you must turn
320 on the fips_mode boolean. Enabled by default.
321 setsebool -P fips_mode 1
323 If you want to enable reading of urandom for all domains, you must turn
327 on the global_ssp boolean. Disabled by default.
328 setsebool -P global_ssp 1
330 If you want to allow confined applications to run with kerberos, you
334 must turn on the kerberos_enabled boolean. Enabled by default.
335 setsebool -P kerberos_enabled 1
337 If you want to control the ability to mmap a low area of the address
341 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
342 the mmap_low_allowed boolean. Disabled by default.
343 setsebool -P mmap_low_allowed 1
345 If you want to allow system to run with NIS, you must turn on the
349 nis_enabled boolean. Disabled by default.
350 setsebool -P nis_enabled 1
352 If you want to allow confined applications to use nscd shared memory,
356 you must turn on the nscd_use_shm boolean. Disabled by default.
357 setsebool -P nscd_use_shm 1
359 If you want to disable kernel module loading, you must turn on the
363 secure_mode_insmod boolean. Enabled by default.
364 setsebool -P secure_mode_insmod 1
366 If you want to boolean to determine whether the system permits loading
370 policy, setting enforcing mode, and changing boolean values. Set this
371 to true and you have to reboot to set it back, you must turn on the
372 secure_mode_policyload boolean. Enabled by default.
373 setsebool -P secure_mode_policyload 1
375 If you want to allow unconfined executables to make their heap memory
379 executable. Doing this is a really bad idea. Probably indicates a
380 badly coded executable, but could indicate an attack. This executable
381 should be reported in bugzilla, you must turn on the selin‐
382 uxuser_execheap boolean. Disabled by default.
383 setsebool -P selinuxuser_execheap 1
385 If you want to allow all unconfined executables to use libraries
389 requiring text relocation that are not labeled textrel_shlib_t, you
390 must turn on the selinuxuser_execmod boolean. Enabled by default.
391 setsebool -P selinuxuser_execmod 1
393 If you want to allow unconfined executables to make their stack exe‐
397 cutable. This should never, ever be necessary. Probably indicates a
398 badly coded executable, but could indicate an attack. This executable
399 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
400 stack boolean. Enabled by default.
401 setsebool -P selinuxuser_execstack 1
403 If you want to support X userspace object manager, you must turn on the
407 xserver_object_manager boolean. Enabled by default.
408 setsebool -P xserver_object_manager 1
410
414 The SELinux process type initrc_t can manage files labeled with the
415 following file types. The paths listed are the default paths for these
416 file types. Note the processes UID still need to have DAC permissions.
417 file_type
419 all files on the system
421
424 SELinux requires files to have an extended attribute to define the file
425 type.
426 You can see the context of a file using the -Z option to ls
428 Policy governs the access confined processes have to these files.
430 SELinux initrc policy is very flexible allowing users to setup their
431 initrc processes in as secure a method as possible.
432 STANDARD FILE CONTEXT
434 SELinux defines the file context types for the initrc, if you wanted to
436 store files with these types in a diffent paths, you need to execute
437 the semanage command to sepecify alternate labeling and then use
438 restorecon to put the labels on disk.
439 semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
441 restorecon -R -v /srv/myinitrc_content
442 Note: SELinux often uses regular expressions to specify labels that
444 match multiple files.
445 The following file types are defined for initrc:
447 initrc_devpts_t
451 - Set files with the initrc_devpts_t type, if you want to treat the
453 files as initrc devpts data.
454 initrc_exec_t
458 - Set files with the initrc_exec_t type, if you want to transition an
460 executable to the initrc_t domain.
461 Paths:
464 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
465 /opt/nfast/sbin/init.d-ncipher, /usr/lib/systemd/rhel[^/]*,
466 /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*,
467 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
468 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl,
469 /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty,
470 /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-
471 ipsec, /usr/share/system-config-services/system-config-services-
472 mechanism.py
473 initrc_state_t
476 - Set files with the initrc_state_t type, if you want to treat the
478 files as initrc state data.
479 initrc_tmp_t
483 - Set files with the initrc_tmp_t type, if you want to store initrc
485 temporary files in the /tmp directories.
486 initrc_var_log_t
490 - Set files with the initrc_var_log_t type, if you want to treat the
492 data as initrc var log data, usually stored under the /var/log direc‐
493 tory.
494 initrc_var_run_t
498 - Set files with the initrc_var_run_t type, if you want to store the
500 initrc files under the /run or /var/run directory.
501 Paths:
504 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
505 /var/run/setmixer_flag
506 Note: File context can be temporarily modified with the chcon command.
509 If you want to permanently change the file context you need to use the
510 semanage fcontext command. This will modify the SELinux labeling data‐
511 base. You will need to use restorecon to apply the labels.
512
515 semanage fcontext can also be used to manipulate default file context
516 mappings.
517 semanage permissive can also be used to manipulate whether or not a
519 process type is permissive.
520 semanage module can also be used to enable/disable/install/remove pol‐
522 icy modules.
523 semanage boolean can also be used to manipulate the booleans
525 system-config-selinux is a GUI tool available to customize SELinux pol‐
528 icy settings.
529
532 This manual page was auto-generated using sepolicy manpage .
533
536 selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepol‐
537 icy(8) , setsebool(8)
538initrc 19-04-25 initrc_selinux(8)