1initrc_selinux(8)            SELinux Policy initrc           initrc_selinux(8)
2
3
4

NAME

6       initrc_selinux  -  Security  Enhanced  Linux Policy for the initrc pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  initrc  processes  via  flexible
11       mandatory access control.
12
13       The  initrc  processes  execute with the initrc_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep initrc_t
20
21
22

ENTRYPOINTS

24       The  initrc_t  SELinux  type  can be entered via the nis_initrc_exec_t,
25       zabbix_initrc_exec_t,  auditd_initrc_exec_t,  glance_api_initrc_exec_t,
26       ntpd_initrc_exec_t,     gpm_initrc_exec_t,    pcp_plugin_initrc_exec_t,
27       entropyd_initrc_exec_t,   isnsd_initrc_exec_t,   syslogd_initrc_exec_t,
28       spamd_initrc_exec_t,     sshd_initrc_exec_t,     icecast_initrc_exec_t,
29       dspam_initrc_exec_t,   blkmapd_initrc_exec_t,    fcoemon_initrc_exec_t,
30       chronyd_initrc_exec_t,     zebra_initrc_exec_t,     exim_initrc_exec_t,
31       pads_initrc_exec_t,    radiusd_initrc_exec_t,    apcupsd_initrc_exec_t,
32       pcscd_initrc_exec_t, pcp_pmproxy_initrc_exec_t, asterisk_initrc_exec_t,
33       hddtemp_initrc_exec_t, nslcd_initrc_exec_t,  l2tpd_initrc_exec_t,  ker‐
34       beros_initrc_exec_t,  apmd_initrc_exec_t, rhsmcertd_initrc_exec_t, col‐
35       lectd_initrc_exec_t,   condor_initrc_exec_t,   denyhosts_initrc_exec_t,
36       munin_initrc_exec_t,    bin_t,    prelude_initrc_exec_t,    mysqld_ini‐
37       trc_exec_t, avahi_initrc_exec_t, abrt_initrc_exec_t, tor_initrc_exec_t,
38       mon_statd_initrc_exec_t,     vdagentd_initrc_exec_t,    callweaver_ini‐
39       trc_exec_t,    rwho_initrc_exec_t,    cupsd_initrc_exec_t,    gpsd_ini‐
40       trc_exec_t,    polipo_initrc_exec_t,    uucpd_initrc_exec_t,   afs_ini‐
41       trc_exec_t,  ricci_initrc_exec_t,  neutron_initrc_exec_t,  sysstat_ini‐
42       trc_exec_t, oracleasm_initrc_exec_t, mdadm_initrc_exec_t, fail2ban_ini‐
43       trc_exec_t,  glusterd_initrc_exec_t,  virtlogd_initrc_exec_t,   irqbal‐
44       ance_initrc_exec_t,   psad_initrc_exec_t,   pingd_initrc_exec_t,  dove‐
45       cot_initrc_exec_t,    certmaster_initrc_exec_t,    kdump_initrc_exec_t,
46       ciped_initrc_exec_t,  iodined_initrc_exec_t,  zoneminder_initrc_exec_t,
47       cyphesis_initrc_exec_t,  pki_tps_script_exec_t,  bitlbee_initrc_exec_t,
48       conntrackd_initrc_exec_t,      pcp_pmwebd_initrc_exec_t,     boinc_ini‐
49       trc_exec_t,   vhostmd_initrc_exec_t,   rabbitmq_initrc_exec_t,   fsdae‐
50       mon_initrc_exec_t,   mpd_initrc_exec_t,  sendmail_initrc_exec_t,  blue‐
51       tooth_initrc_exec_t,    ccs_initrc_exec_t,     automount_initrc_exec_t,
52       samba_initrc_exec_t,      named_initrc_exec_t,     redis_initrc_exec_t,
53       bcfg2_initrc_exec_t,   cmirrord_initrc_exec_t,   dnsmasq_initrc_exec_t,
54       glance_registry_initrc_exec_t,     pki_ra_script_exec_t,     snmpd_ini‐
55       trc_exec_t,  qpidd_initrc_exec_t,  kismet_initrc_exec_t,  cfengine_ini‐
56       trc_exec_t,   pkcs_slotd_initrc_exec_t,   setrans_initrc_exec_t,   san‐
57       lock_initrc_exec_t,  clvmd_initrc_exec_t,  cpuplug_initrc_exec_t,  zab‐
58       bix_agent_initrc_exec_t, firewalld_initrc_exec_t, soundd_initrc_exec_t,
59       lircd_initrc_exec_t,     dhcpd_initrc_exec_t,      canna_initrc_exec_t,
60       acct_initrc_exec_t,    ftpd_initrc_exec_t,   portreserve_initrc_exec_t,
61       ddclient_initrc_exec_t,   mysqlmanagerd_initrc_exec_t,   shorewall_ini‐
62       trc_exec_t, arpwatch_initrc_exec_t, saslauthd_initrc_exec_t, ulogd_ini‐
63       trc_exec_t,    postfix_initrc_exec_t,    initrc_exec_t,    jabberd_ini‐
64       trc_exec_t,   ipsec_initrc_exec_t,   lldpad_initrc_exec_t,  ypbind_ini‐
65       trc_exec_t,  pppd_initrc_exec_t,  smokeping_initrc_exec_t,  naemon_ini‐
66       trc_exec_t,   smsd_initrc_exec_t,   ajaxterm_initrc_exec_t,   nscd_ini‐
67       trc_exec_t,  openct_initrc_exec_t,   virtd_initrc_exec_t,   bacula_ini‐
68       trc_exec_t,    sslh_initrc_exec_t,   radvd_initrc_exec_t,   NetworkMan‐
69       ager_initrc_exec_t,    fetchmail_initrc_exec_t,    ctdbd_initrc_exec_t,
70       wdmd_initrc_exec_t,      osad_initrc_exec_t,     sensord_initrc_exec_t,
71       mrtg_initrc_exec_t,    rpcbind_initrc_exec_t,     mongod_initrc_exec_t,
72       rngd_initrc_exec_t, tgtd_initrc_exec_t, dictd_initrc_exec_t, crond_ini‐
73       trc_exec_t,  cgred_initrc_exec_t,  innd_initrc_exec_t,   antivirus_ini‐
74       trc_exec_t,   amtu_initrc_exec_t,   httpd_initrc_exec_t,   roundup_ini‐
75       trc_exec_t, varnishlog_initrc_exec_t,  tuned_initrc_exec_t,  rhnsd_ini‐
76       trc_exec_t,   shell_exec_t,   varnishd_initrc_exec_t,   certmonger_ini‐
77       trc_exec_t,  snort_initrc_exec_t,  openvpn_initrc_exec_t,   gdomap_ini‐
78       trc_exec_t,   openhpid_initrc_exec_t,   minidlna_initrc_exec_t,  cgcon‐
79       fig_initrc_exec_t,  glance_scrubber_initrc_exec_t,   cvs_initrc_exec_t,
80       ntop_initrc_exec_t, mcelog_initrc_exec_t, postgrey_initrc_exec_t, clus‐
81       ter_initrc_exec_t,    mscan_initrc_exec_t,    postgresql_initrc_exec_t,
82       dhcpc_helper_exec_t,    pcp_pmmgr_initrc_exec_t,    slpd_initrc_exec_t,
83       uuidd_initrc_exec_t,   foghorn_initrc_exec_t,   cobblerd_initrc_exec_t,
84       usr_t,  piranha_pulse_initrc_exec_t, likewise_initrc_exec_t, puppetmas‐
85       ter_initrc_exec_t,   iptables_initrc_exec_t,   minissdpd_initrc_exec_t,
86       watchdog_initrc_exec_t,   nfsd_initrc_exec_t,   ksmtuned_initrc_exec_t,
87       portmap_initrc_exec_t,  slapd_initrc_exec_t,   memcached_initrc_exec_t,
88       rtkit_daemon_initrc_exec_t, sssd_initrc_exec_t, pcp_pmcd_initrc_exec_t,
89       drbd_initrc_exec_t,  pcp_pmlogger_initrc_exec_t,   cyrus_initrc_exec_t,
90       privoxy_initrc_exec_t,  pcp_pmie_initrc_exec_t, svnserve_initrc_exec_t,
91       tcsd_initrc_exec_t,   iwhd_initrc_exec_t,   sblim_initrc_exec_t,   key‐
92       stone_initrc_exec_t,  couchdb_initrc_exec_t, puppetagent_initrc_exec_t,
93       squid_initrc_exec_t,    rpcd_initrc_exec_t,    hypervkvp_initrc_exec_t,
94       vnstatd_initrc_exec_t, aiccu_initrc_exec_t, dlm_controld_initrc_exec_t,
95       nagios_initrc_exec_t file types.
96
97       The default entrypoint paths for the initrc_t domain are the following:
98
99       All executeables with the default executable label, usually  stored  in
100       /usr/bin         and        /usr/sbin.         /etc/rc.d/init.d/ypserv,
101       /etc/rc.d/init.d/ypxfrd,                     /etc/rc.d/init.d/yppasswd,
102       /etc/rc.d/init.d/(zabbix|zabbix-server),       /etc/rc.d/init.d/auditd,
103       /etc/rc.d/init.d/openstack-glance-api,           /etc/rc.d/init.d/ntpd,
104       /etc/rc.d/init.d/gpm,    /etc/rc.d/init.d/((audio-entropyd)|(haveged)),
105       /etc/rc.d/init.d/isnsd,                       /etc/rc.d/init.d/rsyslog,
106       /etc/rc.d/init.d/mimedefang.*,                  /etc/rc.d/init.d/spamd,
107       /etc/rc.d/init.d/pyzord,                       /etc/rc.d/init.d/spampd,
108       /etc/rc.d/init.d/sshd,                        /etc/rc.d/init.d/icecast,
109       /etc/rc.d/init.d/dspam,                       /etc/rc.d/init.d/blkmapd,
110       /etc/rc.d/init.d/fcoe, /etc/rc.d/init.d/chronyd, /etc/rc.d/init.d/bgpd,
111       /etc/rc.d/init.d/ripd, /etc/rc.d/init.d/isisd,  /etc/rc.d/init.d/ospfd,
112       /etc/rc.d/init.d/zebra,                        /etc/rc.d/init.d/babeld,
113       /etc/rc.d/init.d/ospf6d,                       /etc/rc.d/init.d/ripngd,
114       /etc/rc.d/init.d/exim, /etc/rc.d/init.d/pads, /etc/rc.d/init.d/radiusd,
115       /etc/rc.d/init.d/apcupsd,                       /etc/rc.d/init.d/pcscd,
116       /etc/rc.d/init.d/pmproxy,                    /etc/rc.d/init.d/asterisk,
117       /etc/rc.d/init.d/hddtemp,                       /etc/rc.d/init.d/nslcd,
118       /etc/rc.d/init.d/.*l2tpd, /etc/rc.d/init.d/kprop, /etc/rc.d/init.d/kad‐
119       mind,        /etc/rc.d/init.d/krb524d,        /etc/rc.d/init.d/krb5kdc,
120       /etc/rc.d/init.d/acpid,                     /etc/rc.d/init.d/rhsmcertd,
121       /etc/rc.d/init.d/collectd,                     /etc/rc.d/init.d/condor,
122       /etc/rc.d/init.d/denyhosts,                /etc/rc.d/init.d/munin-node,
123       /etc/rc.d/init.d/prelude-lml,         /etc/rc.d/init.d/prelude-manager,
124       /etc/rc.d/init.d/prelude-correlator,           /etc/rc.d/init.d/mysqld,
125       /etc/rc.d/init.d/avahi.*, /etc/rc.d/init.d/abrt,  /etc/rc.d/init.d/tor,
126       /etc/rc.d/init.d/mon_statd,            /etc/rc.d/init.d/spice-vdagentd,
127       /etc/rc.d/init.d/callweaver,                    /etc/rc.d/init.d/rwhod,
128       /etc/rc.d/init.d/cups,  /etc/rc.d/init.d/gpsd, /etc/rc.d/init.d/polipo,
129       /etc/rc.d/init.d/uucp,                     /etc/rc.d/init.d/(open)?afs,
130       /etc/rc.d/init.d/openafs-client,                /etc/rc.d/init.d/ricci,
131       /etc/rc.d/init.d/neutron.*,                 /etc/rc.d/init.d/quantum.*,
132       /etc/rc.d/init.d/sysstat,                   /etc/rc.d/init.d/oracleasm,
133       /etc/rc.d/init.d/mdmonitor,                  /etc/rc.d/init.d/fail2ban,
134       /etc/rc.d/init.d/gluster.*,  /usr/sbin/glusterd, /etc/rc.d/init.d/virt‐
135       logd,        /etc/rc.d/init.d/irqbalance,        /etc/rc.d/init.d/psad,
136       /etc/rc.d/init.d/whatsup-pingd,               /etc/rc.d/init.d/dovecot,
137       /etc/rc.d/init.d/certmaster,                    /etc/rc.d/init.d/kdump,
138       /etc/rc.d/init.d/ciped.*, /etc/rc.d/init.d/((iodined)|(iodine-server)),
139       /etc/rc.d/init.d/zoneminder,                 /etc/rc.d/init.d/cyphesis,
140       /etc/rc.d/init.d/bitlbee,                      /etc/rc.d/init.d/pmwebd,
141       /etc/rc.d/init.d/boinc-client,                /etc/rc.d/init.d/vhostmd,
142       /etc/rc.d/init.d/rabbitmq-server,    /etc/rc.d/init.d/(smartd|smartmon‐
143       tools),        /etc/rc.d/init.d/mpd,         /etc/rc.d/init.d/sendmail,
144       /etc/rc.d/init.d/dund,   /etc/rc.d/init.d/pand,  /etc/rc.d/init.d/blue‐
145       tooth,    /etc/rc.d/init.d/((ccs)|(ccsd)),     /etc/rc.d/init.d/autofs,
146       /etc/rc.d/init.d/nmb,  /etc/rc.d/init.d/smb,  /etc/rc.d/init.d/winbind,
147       /etc/rc.d/init.d/named,                       /etc/rc.d/init.d/unbound,
148       /etc/rc.d/init.d/named-sdb,                     /etc/rc.d/init.d/redis,
149       /etc/rc.d/init.d/bcfg2-server,               /etc/rc.d/init.d/cmirrord,
150       /etc/rc.d/init.d/dnsmasq,   /etc/rc.d/init.d/openstack-glance-registry,
151       /etc/rc.d/init.d/(snmpd|snmptrapd),             /etc/rc.d/init.d/qpidd,
152       /etc/rc.d/init.d/kismet.*,     /etc/rc.d/init.d/((cf-serverd)|(cf-moni‐
153       tord)|(cf-execd)),                          /etc/rc.d/init.d/pkcsslotd,
154       /etc/rc.d/init.d/mcstrans,                    /etc/rc.d/init.d/sanlock,
155       /etc/rc.d/init.d/cpuplugd,              /etc/rc.d/init.d/zabbix-agentd,
156       /etc/rc.d/init.d/firewalld,                      /etc/rc.d/init.d/nasd,
157       /etc/rc.d/init.d/lirc,                      /etc/rc.d/init.d/dhcpd(6)?,
158       /etc/rc.d/init.d/dhcrelay(6)?,                  /etc/rc.d/init.d/canna,
159       /etc/rc.d/init.d/psacct,                       /etc/rc.d/init.d/vsftpd,
160       /etc/rc.d/init.d/proftpd,                 /etc/rc.d/init.d/portreserve,
161       /etc/rc.d/init.d/ddclient,               /etc/rc.d/init.d/mysqlmanager,
162       /etc/rc.d/init.d/shorewall.*,                /etc/rc.d/init.d/arpwatch,
163       /etc/rc.d/init.d/sasl,  /etc/rc.d/init.d/ulogd,  /etc/rc.d/init.d/post‐
164       fix,     /etc/init.d/.*,    /etc/rc.d/rc.[^/]+,    /etc/rc.d/init.d/.*,
165       /opt/nfast/sbin/init.d-ncipher,               /usr/libexec/dcc/stop-.*,
166       /usr/libexec/dcc/start-.*,                /usr/lib/systemd/fedora[^/]*,
167       /opt/nfast/scripts/init.d/(.*),     /etc/rc.d/rc,      /etc/X11/prefdm,
168       /usr/sbin/startx,        /usr/bin/sepg_ctl,        /usr/sbin/apachectl,
169       /usr/sbin/start-dirsrv,   /usr/sbin/open_init_pty,   /usr/sbin/restart-
170       dirsrv,  /etc/sysconfig/network-scripts/ifup-ipsec,  /usr/share/system-
171       config-services/system-config-services-mechanism.py,
172       /etc/rc.d/init.d/jabberd,                       /etc/rc.d/init.d/ipsec,
173       /etc/rc.d/init.d/racoon,                   /etc/rc.d/init.d/strongswan,
174       /etc/rc.d/init.d/lldpad,                       /etc/rc.d/init.d/ypbind,
175       /etc/ppp/(auth|ip(v6|x)?)-(up|down),              /etc/rc.d/init.d/ppp,
176       /etc/rc.d/init.d/smokeping,                    /etc/rc.d/init.d/naemon,
177       /etc/rc.d/init.d/smsd,                       /etc/rc.d/init.d/ajaxterm,
178       /etc/rc.d/init.d/nscd,  /etc/rc.d/init.d/openct,  /etc/rc.d/init.d/lib‐
179       virtd,        /etc/rc.d/init.d/bacula.*,         /etc/rc.d/init.d/sslh,
180       /etc/rc.d/init.d/radvd,         /etc/NetworkManager/dispatcher.d(/.*)?,
181       /etc/rc.d/init.d/wicd,                      /etc/rc.d/init.d/fetchmail,
182       /etc/rc.d/init.d/ctdb,   /etc/rc.d/init.d/wdmd,  /etc/rc.d/init.d/osad,
183       /etc/rc.d/init.d/sensord,                        /etc/rc.d/init.d/mrtg,
184       /etc/rc.d/init.d/rpcbind,                      /etc/rc.d/init.d/mongod,
185       /etc/rc.d/init.d/mongos, /etc/rc.d/init.d/rngd,  /etc/rc.d/init.d/tgtd,
186       /etc/rc.d/init.d/dictd,  /etc/rc.d/init.d/atd,  /etc/rc.d/init.d/cgred,
187       /etc/rc.d/init.d/innd,                        /etc/rc.d/init.d/clamd.*,
188       /etc/rc.d/init.d/amavis,                 /etc/rc.d/init.d/amavisd-snmp,
189       /etc/rc.d/init.d/amtu,  /etc/init.d/cherokee,   /etc/rc.d/init.d/httpd,
190       /etc/rc.d/init.d/lighttpd,                    /etc/rc.d/init.d/roundup,
191       /etc/rc.d/init.d/varnishlog,              /etc/rc.d/init.d/varnishncsa,
192       /etc/rc.d/init.d/tuned, /etc/rc.d/init.d/rhnsd, /bin/d?ash, /bin/ksh.*,
193       /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh,
194       /bin/bash,   /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,  /bin/yash,
195       /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash,  /usr/bin/fish,
196       /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,     /usr/bin/yash,
197       /usr/bin/bash2,  /usr/sbin/sesh,   /usr/sbin/smrsh,   /usr/bin/scponly,
198       /usr/libexec/sesh,        /usr/sbin/nologin,        /usr/bin/git-shell,
199       /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,   /usr/bin/cockpit-bridge,
200       /usr/libexec/cockpit-agent,            /usr/libexec/git-core/git-shell,
201       /etc/rc.d/init.d/varnish,                  /etc/rc.d/init.d/certmonger,
202       /etc/rc.d/init.d/snortd,                      /etc/rc.d/init.d/openvpn,
203       /etc/rc.d/init.d/gdomap,                     /etc/rc.d/init.d/openhpid,
204       /etc/rc.d/init.d/minidlna,                   /etc/rc.d/init.d/cgconfig,
205       /etc/rc.d/init.d/openstack-glance-scrubber,       /etc/rc.d/init.d/cvs,
206       /etc/rc.d/init.d/ntop,  /etc/rc.d/init.d/mcelog, /etc/rc.d/init.d/post‐
207       grey,       /etc/rc.d/init.d/openais,        /etc/rc.d/init.d/corosync,
208       /etc/rc.d/init.d/cpglockd,                  /etc/rc.d/init.d/heartbeat,
209       /etc/rc.d/init.d/pacemaker,                 /etc/rc.d/init.d/rgmanager,
210       /etc/rc.d/init.d/MailScanner,         /etc/rc.d/init.d/(se)?postgresql,
211       /etc/firestarter/firestarter.sh,                /etc/rc.d/init.d/pmmgr,
212       /etc/rc.d/init.d/slpd,   /etc/rc.d/init.d/uuidd,  /etc/rc.d/init.d/cob‐
213       blerd,  /opt/.*,  /usr/.*,  /emul/.*,   /export(/.*)?,   /ostree(/.*)?,
214       /usr/doc(/.*)?/lib(/.*)?,   /usr/inclu.e(/.*)?,   /usr/share/rpm(/.*)?,
215       /usr/share/doc(/.*)?/README.*,           /usr/lib/modules(/.*)/vmlinuz,
216       /usr/lib/modules(/.*)/initramfs.img,           /usr/lib/sysimage(/.*)?,
217       /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul,  /etc/rc.d/init.d/pulse,
218       /etc/rc.d/init.d/lwiod,                         /etc/rc.d/init.d/lwsmd,
219       /etc/rc.d/init.d/lsassd,                       /etc/rc.d/init.d/lwregd,
220       /etc/rc.d/init.d/dcerpcd,                     /etc/rc.d/init.d/srvsvcd,
221       /etc/rc.d/init.d/likewise,                  /etc/rc.d/init.d/eventlogd,
222       /etc/rc.d/init.d/netlogond,              /etc/rc.d/init.d/puppetmaster,
223       /etc/rc.d/init.d/ip6?tables,                 /etc/rc.d/init.d/ebtables,
224       /etc/rc.d/init.d/nftables,                  /etc/rc.d/init.d/minissdpd,
225       /etc/rc.d/init.d/watchdog, /etc/rc.d/init.d/nfs,  /etc/rc.d/init.d/ksm‐
226       tuned,         /etc/rc.d/init.d/portmap,        /etc/rc.d/init.d/slapd,
227       /etc/rc.d/init.d/memcached,              /etc/rc.d/init.d/rtkit-daemon,
228       /etc/rc.d/init.d/sssd,   /etc/rc.d/init.d/pmcd,  /etc/rc.d/init.d/drbd,
229       /etc/rc.d/init.d/pmlogger,                    /etc/rc.d/init.d/cyrus.*,
230       /etc/rc.d/init.d/privoxy,                        /etc/rc.d/init.d/pmie,
231       /etc/rc.d/init.d/svnserve,            /etc/rc.d/init.d/(tcsd|trousers),
232       /etc/rc.d/init.d/iwhd,                       /etc/rc.d/init.d/gatherer,
233       /etc/rc.d/init.d/sblim-sfcbd,      /etc/rc.d/init.d/openstack-keystone,
234       /etc/rc.d/init.d/couchdb,                      /etc/rc.d/init.d/puppet,
235       /etc/rc.d/init.d/squid,                       /etc/rc.d/init.d/nfslock,
236       /etc/rc.d/init.d/rpcidmapd,                /etc/rc.d/init.d/hypervkvpd,
237       /etc/rc.d/init.d/vnstat, /etc/rc.d/init.d/aiccu, /etc/rc.d/init.d/nrpe,
238       /etc/rc.d/init.d/nagios
239

PROCESS TYPES

241       SELinux defines process types (domains) for each process running on the
242       system
243
244       You can see the context of a process using the -Z option to ps
245
246       Policy governs the access confined processes have  to  files.   SELinux
247       initrc  policy  is  very  flexible allowing users to setup their initrc
248       processes in as secure a method as possible.
249
250       The following process types are defined for initrc:
251
252       initrc_t
253
254       Note: semanage permissive -a initrc_t can be used to make  the  process
255       type  initrc_t  permissive.  SELinux does not deny access to permissive
256       process types, but the AVC (SELinux denials) messages are still  gener‐
257       ated.
258
259

BOOLEANS

261       SELinux  policy is customizable based on least access required.  initrc
262       policy is extremely flexible and has several booleans that allow you to
263       manipulate the policy and run initrc with the tightest access possible.
264
265
266
267       If you want to allow users to resolve user passwd entries directly from
268       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
269       gin_nsswitch_use_ldap boolean. Disabled by default.
270
271       setsebool -P authlogin_nsswitch_use_ldap 1
272
273
274
275       If you want to deny user domains applications to map a memory region as
276       both executable and writable, this  is  dangerous  and  the  executable
277       should be reported in bugzilla, you must turn on the deny_execmem bool‐
278       ean. Enabled by default.
279
280       setsebool -P deny_execmem 1
281
282
283
284       If you want to allow all domains to execute in fips_mode, you must turn
285       on the fips_mode boolean. Enabled by default.
286
287       setsebool -P fips_mode 1
288
289
290
291       If  you  want  to allow confined applications to run with kerberos, you
292       must turn on the kerberos_enabled boolean. Enabled by default.
293
294       setsebool -P kerberos_enabled 1
295
296
297
298       If you want to control the ability to mmap a low area  of  the  address
299       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
300       the mmap_low_allowed boolean. Disabled by default.
301
302       setsebool -P mmap_low_allowed 1
303
304
305
306       If you want to allow system to run with  NIS,  you  must  turn  on  the
307       nis_enabled boolean. Disabled by default.
308
309       setsebool -P nis_enabled 1
310
311
312
313       If  you  want to allow confined applications to use nscd shared memory,
314       you must turn on the nscd_use_shm boolean. Disabled by default.
315
316       setsebool -P nscd_use_shm 1
317
318
319
320       If you want to disable kernel module loading,  you  must  turn  on  the
321       secure_mode_insmod boolean. Enabled by default.
322
323       setsebool -P secure_mode_insmod 1
324
325
326
327       If  you  want to allow unconfined executables to make their heap memory
328       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
329       badly  coded  executable, but could indicate an attack. This executable
330       should  be  reported  in  bugzilla,  you  must  turn  on   the   selin‐
331       uxuser_execheap boolean. Disabled by default.
332
333       setsebool -P selinuxuser_execheap 1
334
335
336
337       If  you  want  to allow unconfined executables to make their stack exe‐
338       cutable.  This should never, ever be necessary.  Probably  indicates  a
339       badly  coded  executable, but could indicate an attack. This executable
340       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
341       stack boolean. Enabled by default.
342
343       setsebool -P selinuxuser_execstack 1
344
345
346

MANAGED FILES

348       The  SELinux  process  type  initrc_t can manage files labeled with the
349       following file types.  The paths listed are the default paths for these
350       file types.  Note the processes UID still need to have DAC permissions.
351
352       file_type
353
354            all files on the system
355
356

FILE CONTEXTS

358       SELinux requires files to have an extended attribute to define the file
359       type.
360
361       You can see the context of a file using the -Z option to ls
362
363       Policy governs the access  confined  processes  have  to  these  files.
364       SELinux  initrc  policy  is very flexible allowing users to setup their
365       initrc processes in as secure a method as possible.
366
367       STANDARD FILE CONTEXT
368
369       SELinux defines the file context types for the initrc, if you wanted to
370       store  files  with  these types in a diffent paths, you need to execute
371       the semanage command  to  sepecify  alternate  labeling  and  then  use
372       restorecon to put the labels on disk.
373
374       semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
375       restorecon -R -v /srv/myinitrc_content
376
377       Note:  SELinux  often  uses  regular expressions to specify labels that
378       match multiple files.
379
380       The following file types are defined for initrc:
381
382
383
384       initrc_devpts_t
385
386       - Set files with the initrc_devpts_t type, if you  want  to  treat  the
387       files as initrc devpts data.
388
389
390
391       initrc_exec_t
392
393       -  Set  files with the initrc_exec_t type, if you want to transition an
394       executable to the initrc_t domain.
395
396
397       Paths:
398            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
399            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
400            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
401            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
402            /usr/sbin/startx,     /usr/bin/sepg_ctl,      /usr/sbin/apachectl,
403            /usr/sbin/start-dirsrv,                   /usr/sbin/open_init_pty,
404            /usr/sbin/restart-dirsrv,     /etc/sysconfig/network-scripts/ifup-
405            ipsec,   /usr/share/system-config-services/system-config-services-
406            mechanism.py
407
408
409       initrc_state_t
410
411       - Set files with the initrc_state_t type, if  you  want  to  treat  the
412       files as initrc state data.
413
414
415
416       initrc_tmp_t
417
418       -  Set  files  with  the initrc_tmp_t type, if you want to store initrc
419       temporary files in the /tmp directories.
420
421
422
423       initrc_var_log_t
424
425       - Set files with the initrc_var_log_t type, if you want  to  treat  the
426       data  as  initrc var log data, usually stored under the /var/log direc‐
427       tory.
428
429
430
431       initrc_var_run_t
432
433       - Set files with the initrc_var_run_t type, if you want  to  store  the
434       initrc files under the /run or /var/run directory.
435
436
437       Paths:
438            /var/run/utmp,     /var/run/random-seed,    /var/run/runlevel.dir,
439            /var/run/setmixer_flag
440
441
442       Note: File context can be temporarily modified with the chcon  command.
443       If  you want to permanently change the file context you need to use the
444       semanage fcontext command.  This will modify the SELinux labeling data‐
445       base.  You will need to use restorecon to apply the labels.
446
447

COMMANDS

449       semanage  fcontext  can also be used to manipulate default file context
450       mappings.
451
452       semanage permissive can also be used to manipulate  whether  or  not  a
453       process type is permissive.
454
455       semanage  module can also be used to enable/disable/install/remove pol‐
456       icy modules.
457
458       semanage boolean can also be used to manipulate the booleans
459
460
461       system-config-selinux is a GUI tool available to customize SELinux pol‐
462       icy settings.
463
464

AUTHOR

466       This manual page was auto-generated using sepolicy manpage .
467
468

SEE ALSO

470       selinux(8),  initrc(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
471       icy(8), setsebool(8)
472
473
474
475initrc                             19-05-30                  initrc_selinux(8)
Impressum