1init_selinux(8)               SELinux Policy init              init_selinux(8)
2
3
4

NAME

6       init_selinux - Security Enhanced Linux Policy for the init processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the init processes via flexible manda‐
10       tory access control.
11
12       The init processes execute with the init_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep init_t
19
20
21

ENTRYPOINTS

23       The  init_t  SELinux  type  can  be  entered  via   the   shell_exec_t,
24       init_exec_t file types.
25
26       The default entrypoint paths for the init_t domain are the following:
27
28       /bin/d?ash,  /bin/ksh.*,  /bin/zsh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
29       /usr/bin/zsh.*, /bin/esh, /bin/bash, /bin/fish,  /bin/mksh,  /bin/sash,
30       /bin/tcsh,    /bin/yash,   /bin/bash2,   /usr/bin/esh,   /sbin/nologin,
31       /usr/bin/bash,     /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,
32       /usr/bin/tcsh,     /usr/bin/yash,    /usr/bin/bash2,    /usr/sbin/sesh,
33       /usr/sbin/smrsh, /usr/bin/scponly,  /usr/libexec/sesh,  /usr/sbin/nolo‐
34       gin,  /usr/bin/git-shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,
35       /usr/bin/cockpit-bridge, /usr/libexec/cockpit-agent,  /usr/libexec/git-
36       core/git-shell,   /sbin/init(ng)?,  /usr/sbin/init(ng)?,  /usr/lib/sys‐
37       temd/[^/]*,   /usr/lib/systemd/system-generators/[^/]*,   /bin/systemd,
38       /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       init  policy  is  very flexible allowing users to setup their init pro‐
48       cesses in as secure a method as possible.
49
50       The following process types are defined for init:
51
52       init_t, initrc_t
53
54       Note: semanage permissive -a init_t can be used  to  make  the  process
55       type  init_t  permissive.  SELinux  does  not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux  policy  is  customizable based on least access required.  init
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate the policy and run init with the tightest access possible.
64
65
66
67       If  you  want  to  enable  init  create,  setattr, mounton on non_secu‐
68       rity_file_type, you must turn on the init_create_dirs boolean.  Enabled
69       by default.
70
71       setsebool -P init_create_dirs 1
72
73
74
75       If  you  want to deny all system processes and Linux users to use blue‐
76       tooth wireless technology, you must turn on the deny_bluetooth boolean.
77       Enabled by default.
78
79       setsebool -P deny_bluetooth 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to disable kernel module loading,  you  must  turn  on  the
91       secure_mode_insmod boolean. Enabled by default.
92
93       setsebool -P secure_mode_insmod 1
94
95
96
97       If you want to allow create vbox modules during startup new kernel, you
98       must turn on the use_virtualbox boolean. Disabled by default.
99
100       setsebool -P use_virtualbox 1
101
102
103

MANAGED FILES

105       The SELinux process type init_t can manage files labeled with the  fol‐
106       lowing  file  types.   The paths listed are the default paths for these
107       file types.  Note the processes UID still need to have DAC permissions.
108
109       auditd_etc_t
110
111            /etc/audit(/.*)?
112
113       binfmt_misc_fs_t
114
115
116       boolean_type
117
118
119       bpf_t
120
121            /sys/fs/bpf
122
123       cgroup_t
124
125            /sys/fs/cgroup
126
127       consolekit_log_t
128
129            /var/log/ConsoleKit(/.*)?
130
131       etc_aliases_t
132
133            /etc/mail/.*.db
134            /etc/mail/aliases.*
135            /etc/postfix/aliases.*
136            /etc/aliases
137            /etc/aliases.db
138
139       faillog_t
140
141            /var/log/btmp.*
142            /var/log/faillog.*
143            /var/log/tallylog.*
144            /var/run/faillock(/.*)?
145
146       gnome_home_type
147
148
149       init_var_lib_t
150
151            /var/lib/systemd(/.*)?
152            /var/lib/private/systemd(/.*)?
153
154       initrc_state_t
155
156
157       krb5_keytab_t
158
159            /var/kerberos/krb5(/.*)?
160            /etc/krb5.keytab
161            /etc/krb5kdc/kadm5.keytab
162            /var/kerberos/krb5kdc/kadm5.keytab
163
164       lastlog_t
165
166            /var/log/lastlog.*
167
168       lockfile
169
170
171       mnt_t
172
173            /mnt(/[^/]*)?
174            /mnt(/[^/]*)?
175            /rhev(/[^/]*)?
176            /rhev/[^/]*/.*
177            /media(/[^/]*)?
178            /media(/[^/]*)?
179            /media/.hal-.*
180            /var/run/media(/[^/]*)?
181            /afs
182            /net
183            /misc
184            /rhev
185
186       print_spool_t
187
188            /var/spool/lpd(/.*)?
189            /var/spool/cups(/.*)?
190            /var/spool/cups-pdf(/.*)?
191
192       random_seed_t
193
194            /var/lib/random-seed
195            /usr/var/lib/random-seed
196
197       svirt_file_type
198
199
200       sysctl_type
201
202
203       sysfs_t
204
205            /sys(/.*)?
206
207       systemd_home_t
208
209            /root/.local/share/systemd(/.*)?
210            /home/[^/]+/.local/share/systemd(/.*)?
211
212       systemd_unit_file_type
213
214
215       tmpfs_t
216
217            /dev/shm
218            /var/run/shm
219            /usr/lib/udev/devices/shm
220
221       udev_rules_t
222
223            /etc/udev/rules.d(/.*)?
224
225       var_lib_nfs_t
226
227            /var/lib/nfs(/.*)?
228
229       var_lib_t
230
231            /opt/(.*/)?var/lib(/.*)?
232            /var/lib(/.*)?
233
234       var_log_t
235
236            /var/log/.*
237            /nsr/logs(/.*)?
238            /var/webmin(/.*)?
239            /var/log/secure[^/]*
240            /opt/zimbra/log(/.*)?
241            /var/log/maillog[^/]*
242            /var/log/spooler[^/]*
243            /var/log/messages[^/]*
244            /usr/centreon/log(/.*)?
245            /var/spool/rsyslog(/.*)?
246            /var/axfrdns/log/main(/.*)?
247            /var/spool/bacula/log(/.*)?
248            /var/tinydns/log/main(/.*)?
249            /var/dnscache/log/main(/.*)?
250            /var/stockmaniac/templates_cache(/.*)?
251            /opt/Symantec/scspagent/IDS/system(/.*)?
252            /var/log
253            /var/log/dmesg
254            /var/log/syslog
255            /var/named/chroot/var/log
256
257       wtmp_t
258
259            /var/log/wtmp.*
260
261

FILE CONTEXTS

263       SELinux requires files to have an extended attribute to define the file
264       type.
265
266       You can see the context of a file using the -Z option to ls
267
268       Policy  governs  the  access  confined  processes  have to these files.
269       SELinux init policy is very flexible allowing users to setup their init
270       processes in as secure a method as possible.
271
272       EQUIVALENCE DIRECTORIES
273
274
275       init  policy  stores  data  with  multiple different file context types
276       under the /var/run/systemd directory.  If you would like to  store  the
277       data  in a different directory you can use the semanage command to cre‐
278       ate an equivalence mapping.  If you wanted to store this data under the
279       /srv directory you would execute the following command:
280
281       semanage fcontext -a -e /var/run/systemd /srv/systemd
282       restorecon -R -v /srv/systemd
283
284       STANDARD FILE CONTEXT
285
286       SELinux  defines  the file context types for the init, if you wanted to
287       store files with these types in a diffent paths, you  need  to  execute
288       the  semanage  command  to  sepecify  alternate  labeling  and then use
289       restorecon to put the labels on disk.
290
291       semanage fcontext -a -t initrc_var_run_t '/srv/myinit_content(/.*)?'
292       restorecon -R -v /srv/myinit_content
293
294       Note: SELinux often uses regular expressions  to  specify  labels  that
295       match multiple files.
296
297       The following file types are defined for init:
298
299
300
301       init_exec_t
302
303       -  Set  files  with  the init_exec_t type, if you want to transition an
304       executable to the init_t domain.
305
306
307       Paths:
308            /sbin/init(ng)?,   /usr/sbin/init(ng)?,    /usr/lib/systemd/[^/]*,
309            /usr/lib/systemd/system-generators/[^/]*,            /bin/systemd,
310            /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart
311
312
313       init_tmp_t
314
315       - Set files with the init_tmp_t type, if you want to store init  tempo‐
316       rary files in the /tmp directories.
317
318
319
320       init_var_lib_t
321
322       - Set files with the init_var_lib_t type, if you want to store the init
323       files under the /var/lib directory.
324
325
326       Paths:
327            /var/lib/systemd(/.*)?, /var/lib/private/systemd(/.*)?
328
329
330       init_var_run_t
331
332       - Set files with the init_var_run_t type, if you want to store the init
333       files under the /run or /var/run directory.
334
335
336
337       initctl_t
338
339       -  Set files with the initctl_t type, if you want to treat the files as
340       initctl data.
341
342
343       Paths:
344            /dev/initctl, /var/run/initctl, /var/run/systemd/initctl/fifo
345
346
347       initrc_devpts_t
348
349       - Set files with the initrc_devpts_t type, if you  want  to  treat  the
350       files as initrc devpts data.
351
352
353
354       initrc_exec_t
355
356       -  Set  files with the initrc_exec_t type, if you want to transition an
357       executable to the initrc_t domain.
358
359
360       Paths:
361            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
362            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
363            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
364            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
365            /usr/sbin/startx,    /usr/bin/sepg_ctl,    /usr/sbin/start-dirsrv,
366            /usr/sbin/open_init_pty,   /usr/sbin/restart-dirsrv,  /etc/syscon‐
367            fig/network-scripts/ifup-ipsec,      /usr/share/system-config-ser‐
368            vices/system-config-services-mechanism.py
369
370
371       initrc_state_t
372
373       -  Set  files  with  the  initrc_state_t type, if you want to treat the
374       files as initrc state data.
375
376
377
378       initrc_tmp_t
379
380       - Set files with the initrc_tmp_t type, if you  want  to  store  initrc
381       temporary files in the /tmp directories.
382
383
384
385       initrc_var_log_t
386
387       -  Set  files  with the initrc_var_log_t type, if you want to treat the
388       data as initrc var log data, usually stored under the  /var/log  direc‐
389       tory.
390
391
392
393       initrc_var_run_t
394
395       -  Set  files  with the initrc_var_run_t type, if you want to store the
396       initrc files under the /run or /var/run directory.
397
398
399       Paths:
400            /var/run/utmp,    /var/run/random-seed,     /var/run/runlevel.dir,
401            /var/run/setmixer_flag
402
403
404       Note:  File context can be temporarily modified with the chcon command.
405       If you want to permanently change the file context you need to use  the
406       semanage fcontext command.  This will modify the SELinux labeling data‐
407       base.  You will need to use restorecon to apply the labels.
408
409

COMMANDS

411       semanage fcontext can also be used to manipulate default  file  context
412       mappings.
413
414       semanage  permissive  can  also  be used to manipulate whether or not a
415       process type is permissive.
416
417       semanage module can also be used to enable/disable/install/remove  pol‐
418       icy modules.
419
420       semanage boolean can also be used to manipulate the booleans
421
422
423       system-config-selinux is a GUI tool available to customize SELinux pol‐
424       icy settings.
425
426

AUTHOR

428       This manual page was auto-generated using sepolicy manpage .
429
430

SEE ALSO

432       selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
433       setsebool(8)
434
435
436
437init                               20-05-05                    init_selinux(8)
Impressum