1init_selinux(8)               SELinux Policy init              init_selinux(8)
2
3
4

NAME

6       init_selinux - Security Enhanced Linux Policy for the init processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the init processes via flexible manda‐
10       tory access control.
11
12       The init processes execute with the init_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep init_t
19
20
21

ENTRYPOINTS

23       The  init_t  SELinux  type  can  be  entered  via   the   shell_exec_t,
24       init_exec_t file types.
25
26       The default entrypoint paths for the init_t domain are the following:
27
28       /bin/d?ash,  /bin/ksh.*,  /bin/zsh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
29       /usr/bin/zsh.*, /bin/esh, /bin/bash, /bin/fish,  /bin/mksh,  /bin/sash,
30       /bin/tcsh,    /bin/yash,   /bin/bash2,   /usr/bin/esh,   /sbin/nologin,
31       /usr/bin/bash,     /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,
32       /usr/bin/tcsh,     /usr/bin/yash,    /usr/bin/bash2,    /usr/sbin/sesh,
33       /usr/sbin/smrsh, /usr/bin/scponly,  /usr/libexec/sesh,  /usr/sbin/nolo‐
34       gin,  /usr/bin/git-shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,
35       /usr/bin/cockpit-bridge, /usr/libexec/cockpit-agent,  /usr/libexec/git-
36       core/git-shell,   /sbin/init(ng)?,  /usr/sbin/init(ng)?,  /usr/lib/sys‐
37       temd/[^/]*,   /usr/lib/systemd/system-generators/[^/]*,   /bin/systemd,
38       /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       init  policy  is  very flexible allowing users to setup their init pro‐
48       cesses in as secure a method as possible.
49
50       The following process types are defined for init:
51
52       init_t, initrc_t
53
54       Note: semanage permissive -a init_t can be used  to  make  the  process
55       type  init_t  permissive.  SELinux  does  not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux  policy  is  customizable based on least access required.  init
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate the policy and run init with the tightest access possible.
64
65
66
67       If you want to allow users to resolve user passwd entries directly from
68       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
69       gin_nsswitch_use_ldap boolean. Disabled by default.
70
71       setsebool -P authlogin_nsswitch_use_ldap 1
72
73
74
75       If you want to allow all domains to execute in fips_mode, you must turn
76       on the fips_mode boolean. Enabled by default.
77
78       setsebool -P fips_mode 1
79
80
81
82       If you want to allow confined applications to run  with  kerberos,  you
83       must turn on the kerberos_enabled boolean. Enabled by default.
84
85       setsebool -P kerberos_enabled 1
86
87
88
89       If  you  want  to  allow  system  to run with NIS, you must turn on the
90       nis_enabled boolean. Disabled by default.
91
92       setsebool -P nis_enabled 1
93
94
95
96       If you want to allow confined applications to use nscd  shared  memory,
97       you must turn on the nscd_use_shm boolean. Enabled by default.
98
99       setsebool -P nscd_use_shm 1
100
101
102
103       If you want to allow create vbox modules during startup new kernel, you
104       must turn on the use_virtualbox boolean. Disabled by default.
105
106       setsebool -P use_virtualbox 1
107
108
109

MANAGED FILES

111       The SELinux process type init_t can manage files labeled with the  fol‐
112       lowing  file  types.   The paths listed are the default paths for these
113       file types.  Note the processes UID still need to have DAC permissions.
114
115       auditd_etc_t
116
117            /etc/audit(/.*)?
118
119       binfmt_misc_fs_t
120
121
122       boolean_type
123
124
125       bpf_t
126
127            /sys/fs/bpf
128
129       cgroup_t
130
131            /sys/fs/cgroup
132
133       consolekit_log_t
134
135            /var/log/ConsoleKit(/.*)?
136
137       data_home_t
138
139            /root/.local/share(/.*)?
140            /home/[^/]+/.local/share(/.*)?
141
142       device_t
143
144            /dev/.*
145            /lib/udev/devices(/.*)?
146            /usr/lib/udev/devices(/.*)?
147            /dev
148            /etc/udev/devices
149            /var/named/chroot/dev
150            /var/spool/postfix/dev
151            /var/named/chroot_sdb/dev
152
153       etc_aliases_t
154
155            /etc/mail/.*.db
156            /etc/mail/aliases.*
157            /etc/postfix/aliases.*
158            /etc/aliases
159            /etc/aliases.db
160
161       etc_runtime_t
162
163            /[^/]+
164            /etc/mtab.*
165            /etc/blkid(/.*)?
166            /etc/nologin.*
167            /etc/.fstab.hal..+
168            /halt
169            /fastboot
170            /poweroff
171            /.autofsck
172            /etc/cmtab
173            /forcefsck
174            /.suspended
175            /fsckoptions
176            /.autorelabel
177            /etc/.updated
178            /var/.updated
179            /etc/killpower
180            /etc/nohotplug
181            /etc/securetty
182            /etc/ioctl.save
183            /etc/fstab.REVOKE
184            /etc/network/ifstate
185            /etc/sysconfig/hwconf
186            /etc/ptal/ptal-printd-like
187            /etc/sysconfig/iptables.save
188            /etc/xorg.conf.d/00-system-setup-keyboard.conf
189            /etc/X11/xorg.conf.d/00-system-setup-keyboard.conf
190
191       faillog_t
192
193            /var/log/btmp.*
194            /var/log/faillog.*
195            /var/log/tallylog.*
196            /var/run/faillock(/.*)?
197
198       gnome_home_type
199
200
201       init_tmp_t
202
203
204       init_var_lib_t
205
206            /var/lib/systemd(/.*)?
207            /var/lib/private/systemd(/.*)?
208
209       init_var_run_t
210
211            /var/run/systemd(/.*)?
212
213       initrc_state_t
214
215
216       initrc_var_run_t
217
218            /var/run/utmp
219            /var/run/random-seed
220            /var/run/runlevel.dir
221            /var/run/setmixer_flag
222
223       ipsec_var_run_t
224
225            /var/racoon(/.*)?
226            /var/run/pluto(/.*)?
227            /var/run/charon.*
228            /var/run/racoon.pid
229            /var/run/charon.ctl
230            /var/run/charon.vici
231
232       iscsi_lock_t
233
234            /var/lock/iscsi(/.*)?
235
236       krb5_host_rcache_t
237
238            /var/cache/krb5rcache(/.*)?
239            /var/tmp/nfs_0
240            /var/tmp/DNS_25
241            /var/tmp/host_0
242            /var/tmp/imap_0
243            /var/tmp/HTTP_23
244            /var/tmp/HTTP_48
245            /var/tmp/ldap_55
246            /var/tmp/ldap_487
247            /var/tmp/ldapmap1_0
248
249       krb5_keytab_t
250
251            /etc/krb5.keytab
252            /etc/krb5kdc/kadm5.keytab
253            /var/kerberos/krb5kdc/kadm5.keytab
254
255       ld_so_cache_t
256
257            /etc/ld.so.cache
258            /etc/ld.so.cache~
259            /etc/ld.so.preload
260            /etc/ld.so.preload~
261
262       locale_t
263
264            /etc/locale.conf
265            /etc/vconsole.conf
266            /usr/lib/locale(/.*)?
267            /usr/share/locale(/.*)?
268            /usr/share/zoneinfo(/.*)?
269            /usr/share/X11/locale(/.*)?
270            /etc/timezone
271            /etc/localtime
272            /etc/sysconfig/clock
273            /etc/avahi/etc/localtime
274            /var/empty/sshd/etc/localtime
275            /var/named/chroot/etc/localtime
276            /var/spool/postfix/etc/localtime
277
278       lockfile
279
280
281       machineid_t
282
283            /etc/machine-id
284            /var/run/systemd/machine-id
285
286       mdadm_var_run_t
287
288            /dev/md/.*
289            /var/run/mdadm(/.*)?
290            /dev/.mdadm.map
291
292       mnt_t
293
294            /mnt(/[^/]*)?
295            /mnt(/[^/]*)?
296            /rhev(/[^/]*)?
297            /rhev/[^/]*/.*
298            /media(/[^/]*)?
299            /media(/[^/]*)?
300            /media/.hal-.*
301            /var/run/media(/[^/]*)?
302            /afs
303            /net
304            /misc
305            /rhev
306
307       mount_var_run_t
308
309            /run/mount(/.*)?
310            /dev/.mount(/.*)?
311            /var/run/mount(/.*)?
312            /var/run/davfs2(/.*)?
313            /var/cache/davfs2(/.*)?
314
315       named_conf_t
316
317            /etc/rndc.*
318            /etc/unbound(/.*)?
319            /var/named/chroot(/.*)?
320            /etc/named.rfc1912.zones
321            /var/named/chroot/etc/named.rfc1912.zones
322            /etc/named.conf
323            /var/named/named.ca
324            /etc/named.root.hints
325            /var/named/chroot/etc/named.conf
326            /etc/named.caching-nameserver.conf
327            /var/named/chroot/var/named/named.ca
328            /var/named/chroot/etc/named.root.hints
329            /var/named/chroot/etc/named.caching-nameserver.conf
330
331       passwd_file_t
332
333            /etc/group[-+]?
334            /etc/passwd[-+]?
335            /etc/passwd.adjunct.*
336            /etc/ptmptmp
337            /etc/.pwd.lock
338            /etc/group.lock
339            /etc/passwd.OLD
340            /etc/passwd.lock
341
342       print_spool_t
343
344            /var/spool/lpd(/.*)?
345            /var/spool/cups(/.*)?
346            /var/spool/cups-pdf(/.*)?
347
348       random_seed_t
349
350            /var/lib/random-seed
351            /usr/var/lib/random-seed
352
353       security_t
354
355            /selinux
356
357       svirt_file_type
358
359
360       sysctl_type
361
362
363       sysfs_t
364
365            /sys(/.*)?
366
367       systemd_home_t
368
369            /root/.local/share/systemd(/.*)?
370            /home/[^/]+/.local/share/systemd(/.*)?
371
372       systemd_logind_var_run_t
373
374            /var/run/.*nologin.*
375            /var/run/systemd/seats(/.*)?
376            /var/run/systemd/users(/.*)?
377            /var/run/systemd/shutdown(/.*)?
378
379       systemd_passwd_var_run_t
380
381            /var/run/systemd/ask-password(/.*)?
382            /var/run/systemd/ask-password-block(/.*)?
383
384       systemd_unit_file_type
385
386
387       tmpfs_t
388
389            /dev/shm
390            /var/run/shm
391            /usr/lib/udev/devices/shm
392
393       udev_rules_t
394
395            /etc/udev/rules.d(/.*)?
396
397       var_lib_nfs_t
398
399            /var/lib/nfs(/.*)?
400
401       var_lib_t
402
403            /opt/(.*/)?var/lib(/.*)?
404            /var/lib(/.*)?
405
406       var_log_t
407
408            /var/log/.*
409            /nsr/logs(/.*)?
410            /var/webmin(/.*)?
411            /var/log/secure[^/]*
412            /opt/zimbra/log(/.*)?
413            /var/log/maillog[^/]*
414            /var/log/spooler[^/]*
415            /var/log/messages[^/]*
416            /usr/centreon/log(/.*)?
417            /var/spool/rsyslog(/.*)?
418            /var/axfrdns/log/main(/.*)?
419            /var/spool/bacula/log(/.*)?
420            /var/tinydns/log/main(/.*)?
421            /var/dnscache/log/main(/.*)?
422            /var/stockmaniac/templates_cache(/.*)?
423            /opt/Symantec/scspagent/IDS/system(/.*)?
424            /var/log
425            /var/log/dmesg
426            /var/log/syslog
427            /var/named/chroot/var/log
428
429       var_run_t
430
431            /run/.*
432            /var/run/.*
433            /run
434            /var/run
435            /var/run
436            /var/spool/postfix/pid
437
438       wtmp_t
439
440            /var/log/wtmp.*
441
442

FILE CONTEXTS

444       SELinux requires files to have an extended attribute to define the file
445       type.
446
447       You can see the context of a file using the -Z option to ls
448
449       Policy  governs  the  access  confined  processes  have to these files.
450       SELinux init policy is very flexible allowing users to setup their init
451       processes in as secure a method as possible.
452
453       EQUIVALENCE DIRECTORIES
454
455
456       init  policy  stores  data  with  multiple different file context types
457       under the /var/run/systemd directory.  If you would like to  store  the
458       data  in a different directory you can use the semanage command to cre‐
459       ate an equivalence mapping.  If you wanted to store this data under the
460       /srv dirctory you would execute the following command:
461
462       semanage fcontext -a -e /var/run/systemd /srv/systemd
463       restorecon -R -v /srv/systemd
464
465       STANDARD FILE CONTEXT
466
467       SELinux  defines  the file context types for the init, if you wanted to
468       store files with these types in a diffent paths, you  need  to  execute
469       the  semanage  command  to  sepecify  alternate  labeling  and then use
470       restorecon to put the labels on disk.
471
472       semanage fcontext -a -t initrc_var_run_t '/srv/myinit_content(/.*)?'
473       restorecon -R -v /srv/myinit_content
474
475       Note: SELinux often uses regular expressions  to  specify  labels  that
476       match multiple files.
477
478       The following file types are defined for init:
479
480
481
482       init_exec_t
483
484       -  Set  files  with  the init_exec_t type, if you want to transition an
485       executable to the init_t domain.
486
487
488       Paths:
489            /sbin/init(ng)?,   /usr/sbin/init(ng)?,    /usr/lib/systemd/[^/]*,
490            /usr/lib/systemd/system-generators/[^/]*,            /bin/systemd,
491            /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart
492
493
494       init_tmp_t
495
496       - Set files with the init_tmp_t type, if you want to store init  tempo‐
497       rary files in the /tmp directories.
498
499
500
501       init_var_lib_t
502
503       - Set files with the init_var_lib_t type, if you want to store the init
504       files under the /var/lib directory.
505
506
507       Paths:
508            /var/lib/systemd(/.*)?, /var/lib/private/systemd(/.*)?
509
510
511       init_var_run_t
512
513       - Set files with the init_var_run_t type, if you want to store the init
514       files under the /run or /var/run directory.
515
516
517
518       initctl_t
519
520       -  Set files with the initctl_t type, if you want to treat the files as
521       initctl data.
522
523
524       Paths:
525            /dev/initctl, /var/run/initctl, /var/run/systemd/initctl/fifo
526
527
528       initrc_devpts_t
529
530       - Set files with the initrc_devpts_t type, if you  want  to  treat  the
531       files as initrc devpts data.
532
533
534
535       initrc_exec_t
536
537       -  Set  files with the initrc_exec_t type, if you want to transition an
538       executable to the initrc_t domain.
539
540
541       Paths:
542            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
543            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
544            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
545            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
546            /usr/sbin/startx,     /usr/bin/sepg_ctl,      /usr/sbin/apachectl,
547            /usr/sbin/start-dirsrv,                   /usr/sbin/open_init_pty,
548            /usr/sbin/restart-dirsrv,     /etc/sysconfig/network-scripts/ifup-
549            ipsec,   /usr/share/system-config-services/system-config-services-
550            mechanism.py
551
552
553       initrc_state_t
554
555       - Set files with the initrc_state_t type, if  you  want  to  treat  the
556       files as initrc state data.
557
558
559
560       initrc_tmp_t
561
562       -  Set  files  with  the initrc_tmp_t type, if you want to store initrc
563       temporary files in the /tmp directories.
564
565
566
567       initrc_var_log_t
568
569       - Set files with the initrc_var_log_t type, if you want  to  treat  the
570       data  as  initrc var log data, usually stored under the /var/log direc‐
571       tory.
572
573
574
575       initrc_var_run_t
576
577       - Set files with the initrc_var_run_t type, if you want  to  store  the
578       initrc files under the /run or /var/run directory.
579
580
581       Paths:
582            /var/run/utmp,     /var/run/random-seed,    /var/run/runlevel.dir,
583            /var/run/setmixer_flag
584
585
586       Note: File context can be temporarily modified with the chcon  command.
587       If  you want to permanently change the file context you need to use the
588       semanage fcontext command.  This will modify the SELinux labeling data‐
589       base.  You will need to use restorecon to apply the labels.
590
591

COMMANDS

593       semanage  fcontext  can also be used to manipulate default file context
594       mappings.
595
596       semanage permissive can also be used to manipulate  whether  or  not  a
597       process type is permissive.
598
599       semanage  module can also be used to enable/disable/install/remove pol‐
600       icy modules.
601
602       semanage boolean can also be used to manipulate the booleans
603
604
605       system-config-selinux is a GUI tool available to customize SELinux pol‐
606       icy settings.
607
608

AUTHOR

610       This manual page was auto-generated using sepolicy manpage .
611
612

SEE ALSO

614       selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
615       setsebool(8)
616
617
618
619init                               19-10-08                    init_selinux(8)
Impressum