1initrc_selinux(8) SELinux Policy initrc initrc_selinux(8)
2
3
4
6 initrc_selinux - Security Enhanced Linux Policy for the initrc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the initrc processes via flexible
11 mandatory access control.
12
13 The initrc processes execute with the initrc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep initrc_t
20
21
22
24 The initrc_t SELinux type can be entered via the amtu_initrc_exec_t,
25 nscd_initrc_exec_t, avahi_initrc_exec_t, minidlna_initrc_exec_t,
26 nslcd_initrc_exec_t, munin_initrc_exec_t, mpd_initrc_exec_t,
27 rpcbind_initrc_exec_t, naemon_initrc_exec_t, roundup_initrc_exec_t,
28 pcscd_initrc_exec_t, tuned_initrc_exec_t, afs_initrc_exec_t, ipta‐
29 bles_initrc_exec_t, shorewall_initrc_exec_t, radiusd_initrc_exec_t,
30 gpsd_initrc_exec_t, cluster_initrc_exec_t, ccs_initrc_exec_t, sys‐
31 logd_initrc_exec_t, slapd_initrc_exec_t, lircd_initrc_exec_t, fsdae‐
32 mon_initrc_exec_t, foghorn_initrc_exec_t, dspam_initrc_exec_t,
33 samba_initrc_exec_t, glance_registry_initrc_exec_t, certmonger_ini‐
34 trc_exec_t, radvd_initrc_exec_t, asterisk_initrc_exec_t, saslauthd_ini‐
35 trc_exec_t, pki_tps_script_exec_t, innd_initrc_exec_t, varnishlog_ini‐
36 trc_exec_t, zabbix_initrc_exec_t, spamd_initrc_exec_t, rtkit_dae‐
37 mon_initrc_exec_t, nfsd_initrc_exec_t, kerberos_initrc_exec_t, con‐
38 ntrackd_initrc_exec_t, initrc_exec_t, neutron_initrc_exec_t, bin_t,
39 shell_exec_t, cgconfig_initrc_exec_t, firewalld_initrc_exec_t,
40 setrans_initrc_exec_t, slpd_initrc_exec_t, kdump_initrc_exec_t, con‐
41 dor_initrc_exec_t, vnstatd_initrc_exec_t, osad_initrc_exec_t,
42 kismet_initrc_exec_t, ajaxterm_initrc_exec_t, ftpd_initrc_exec_t,
43 hddtemp_initrc_exec_t, fail2ban_initrc_exec_t, sysstat_initrc_exec_t,
44 drbd_initrc_exec_t, aiccu_initrc_exec_t, smokeping_initrc_exec_t, cmir‐
45 rord_initrc_exec_t, dhcpc_helper_exec_t, piranha_pulse_initrc_exec_t,
46 minissdpd_initrc_exec_t, usr_t, ciped_initrc_exec_t, boinc_ini‐
47 trc_exec_t, irqbalance_initrc_exec_t, glance_api_initrc_exec_t,
48 tgtd_initrc_exec_t, hypervkvp_initrc_exec_t, ntop_initrc_exec_t,
49 cgred_initrc_exec_t, named_initrc_exec_t, postfix_initrc_exec_t,
50 portmap_initrc_exec_t, ddclient_initrc_exec_t, mon_statd_initrc_exec_t,
51 NetworkManager_initrc_exec_t, ipa_custodia_dmldap_exec_t, uuidd_ini‐
52 trc_exec_t, pki_ra_script_exec_t, entropyd_initrc_exec_t, likewise_ini‐
53 trc_exec_t, dhcpd_initrc_exec_t, squid_initrc_exec_t, openct_ini‐
54 trc_exec_t, certmaster_initrc_exec_t, automount_initrc_exec_t,
55 pcp_pmcd_initrc_exec_t, memcached_initrc_exec_t, nis_initrc_exec_t,
56 zoneminder_initrc_exec_t, bacula_initrc_exec_t, privoxy_initrc_exec_t,
57 cpuplug_initrc_exec_t, ypbind_initrc_exec_t, rwho_initrc_exec_t, ice‐
58 cast_initrc_exec_t, ctdbd_initrc_exec_t, couchdb_initrc_exec_t,
59 apcupsd_initrc_exec_t, watchdog_initrc_exec_t, ulogd_initrc_exec_t,
60 apmd_initrc_exec_t, abrt_initrc_exec_t, mysqld_initrc_exec_t,
61 canna_initrc_exec_t, puppetagent_initrc_exec_t, ipa_custo‐
62 dia_ra_agent_exec_t, pcp_pmlogger_initrc_exec_t, zabbix_agent_ini‐
63 trc_exec_t, ricci_initrc_exec_t, gpm_initrc_exec_t, ksmtuned_ini‐
64 trc_exec_t, smsd_initrc_exec_t, ntpd_initrc_exec_t, glusterd_ini‐
65 trc_exec_t, bluetooth_initrc_exec_t, tcsd_initrc_exec_t, snmpd_ini‐
66 trc_exec_t, antivirus_initrc_exec_t, rngd_initrc_exec_t, mysqlman‐
67 agerd_initrc_exec_t, cobblerd_initrc_exec_t, pingd_initrc_exec_t,
68 httpd_initrc_exec_t, virtd_initrc_exec_t, pcp_plugin_initrc_exec_t,
69 vdagentd_initrc_exec_t, denyhosts_initrc_exec_t, crond_initrc_exec_t,
70 sssd_initrc_exec_t, callweaver_initrc_exec_t, acct_initrc_exec_t, san‐
71 lock_initrc_exec_t, tor_initrc_exec_t, mcelog_initrc_exec_t, mdadm_ini‐
72 trc_exec_t, sblim_initrc_exec_t, qpidd_initrc_exec_t, cyphesis_ini‐
73 trc_exec_t, dictd_initrc_exec_t, rhsmcertd_initrc_exec_t, pads_ini‐
74 trc_exec_t, openvpn_initrc_exec_t, auditd_initrc_exec_t, cupsd_ini‐
75 trc_exec_t, iodined_initrc_exec_t, lldpad_initrc_exec_t, cyrus_ini‐
76 trc_exec_t, pcp_pmproxy_initrc_exec_t, svnserve_initrc_exec_t, col‐
77 lectd_initrc_exec_t, puppetmaster_initrc_exec_t, varnishd_ini‐
78 trc_exec_t, prelude_initrc_exec_t, zebra_initrc_exec_t, gdomap_ini‐
79 trc_exec_t, postgresql_initrc_exec_t, cvs_initrc_exec_t, sensord_ini‐
80 trc_exec_t, oracleasm_initrc_exec_t, mrtg_initrc_exec_t, cfengine_ini‐
81 trc_exec_t, iwhd_initrc_exec_t, pppd_initrc_exec_t, mscan_ini‐
82 trc_exec_t, sendmail_initrc_exec_t, openhpid_initrc_exec_t, redis_ini‐
83 trc_exec_t, wdmd_initrc_exec_t, pcp_pmie_initrc_exec_t, arpwatch_ini‐
84 trc_exec_t, bitlbee_initrc_exec_t, dlm_controld_initrc_exec_t,
85 pkcs_slotd_initrc_exec_t, soundd_initrc_exec_t, uucpd_initrc_exec_t,
86 rpcd_initrc_exec_t, keystone_initrc_exec_t, isnsd_initrc_exec_t, virt‐
87 logd_initrc_exec_t, bcfg2_initrc_exec_t, dovecot_initrc_exec_t,
88 ipsec_initrc_exec_t, clvmd_initrc_exec_t, exim_initrc_exec_t, sshd_ini‐
89 trc_exec_t, jabberd_initrc_exec_t, postgrey_initrc_exec_t, rab‐
90 bitmq_initrc_exec_t, polipo_initrc_exec_t, snort_initrc_exec_t,
91 fcoemon_initrc_exec_t, dnsmasq_initrc_exec_t, fetchmail_initrc_exec_t,
92 ipa_custodia_pki_tomcat_exec_t, glance_scrubber_initrc_exec_t,
93 nagios_initrc_exec_t, psad_initrc_exec_t, mongod_initrc_exec_t, portre‐
94 serve_initrc_exec_t, vhostmd_initrc_exec_t, chronyd_initrc_exec_t,
95 l2tpd_initrc_exec_t, sslh_initrc_exec_t, rhnsd_initrc_exec_t,
96 blkmapd_initrc_exec_t file types.
97
98 The default entrypoint paths for the initrc_t domain are the following:
99
100 All executables with the default executable label, usually stored in
101 /usr/bin and /usr/sbin. /etc/rc.d/init.d/amtu, /etc/rc.d/init.d/nscd,
102 /etc/rc.d/init.d/avahi.*, /etc/rc.d/init.d/minidlna,
103 /etc/rc.d/init.d/nslcd, /etc/rc.d/init.d/munin-node,
104 /etc/rc.d/init.d/mpd, /etc/rc.d/init.d/rpcbind, /etc/rc.d/init.d/nae‐
105 mon, /etc/rc.d/init.d/roundup, /etc/rc.d/init.d/pcscd,
106 /etc/rc.d/init.d/tuned, /etc/rc.d/init.d/(open)?afs,
107 /etc/rc.d/init.d/openafs-client, /etc/rc.d/init.d/ip6?tables,
108 /etc/rc.d/init.d/ebtables, /etc/rc.d/init.d/nftables,
109 /etc/rc.d/init.d/shorewall.*, /etc/rc.d/init.d/radiusd,
110 /etc/rc.d/init.d/gpsd, /etc/rc.d/init.d/openais,
111 /etc/rc.d/init.d/corosync, /etc/rc.d/init.d/cpglockd,
112 /etc/rc.d/init.d/heartbeat, /etc/rc.d/init.d/pacemaker,
113 /etc/rc.d/init.d/rgmanager, /etc/rc.d/init.d/((ccs)|(ccsd)),
114 /etc/rc.d/init.d/rsyslog, /etc/rc.d/init.d/slapd,
115 /etc/rc.d/init.d/lirc, /etc/rc.d/init.d/(smartd|smartmontools),
116 /etc/rc.d/init.d/dspam, /etc/rc.d/init.d/nmb, /etc/rc.d/init.d/smb,
117 /etc/rc.d/init.d/winbind, /etc/rc.d/init.d/openstack-glance-registry,
118 /etc/rc.d/init.d/certmonger, /etc/rc.d/init.d/radvd,
119 /etc/rc.d/init.d/asterisk, /etc/rc.d/init.d/sasl,
120 /etc/rc.d/init.d/innd, /etc/rc.d/init.d/varnishlog,
121 /etc/rc.d/init.d/varnishncsa, /etc/rc.d/init.d/(zabbix|zabbix-server),
122 /etc/rc.d/init.d/mimedefang.*, /etc/rc.d/init.d/spamd,
123 /etc/rc.d/init.d/pyzord, /etc/rc.d/init.d/spampd,
124 /etc/rc.d/init.d/rtkit-daemon, /etc/rc.d/init.d/nfs,
125 /etc/rc.d/init.d/kprop, /etc/rc.d/init.d/kadmind,
126 /etc/rc.d/init.d/krb524d, /etc/rc.d/init.d/krb5kdc, /etc/init.d/.*,
127 /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*, /opt/nfast/sbin/init.d-nci‐
128 pher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*,
129 /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*),
130 /etc/rc.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl,
131 /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-
132 dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-
133 config-services/system-config-services-mechanism.py,
134 /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*, /bin/d?ash,
135 /bin/ksh.*, /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*,
136 /bin/esh, /bin/bash, /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh,
137 /bin/yash, /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash,
138 /usr/bin/fish, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh,
139 /usr/bin/yash, /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh,
140 /usr/bin/scponly, /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-
141 shell, /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-
142 bridge, /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell,
143 /etc/rc.d/init.d/cgconfig, /etc/rc.d/init.d/firewalld,
144 /etc/rc.d/init.d/mcstrans, /etc/rc.d/init.d/slpd,
145 /etc/rc.d/init.d/kdump, /etc/rc.d/init.d/condor,
146 /etc/rc.d/init.d/vnstat, /etc/rc.d/init.d/osad,
147 /etc/rc.d/init.d/kismet.*, /etc/rc.d/init.d/ajaxterm,
148 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd,
149 /etc/rc.d/init.d/hddtemp, /etc/rc.d/init.d/fail2ban,
150 /etc/rc.d/init.d/sysstat, /etc/rc.d/init.d/drbd,
151 /etc/rc.d/init.d/aiccu, /etc/rc.d/init.d/smokeping,
152 /etc/rc.d/init.d/cmirrord, /etc/firestarter/firestarter.sh,
153 /etc/rc.d/init.d/pulse, /etc/rc.d/init.d/minissdpd, /opt/.*, /usr/.*,
154 /emul/.*, /export(/.*)?, /ostree(/.*)?, /usr/doc(/.*)?/lib(/.*)?,
155 /usr/inclu.e(/.*)?, /usr/share/rpm(/.*)?,
156 /usr/share/doc(/.*)?/README.*, /usr/lib/modules(/.*)/vmlinuz,
157 /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysimage(/.*)?,
158 /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul,
159 /etc/rc.d/init.d/ciped.*, /etc/rc.d/init.d/boinc-client,
160 /etc/rc.d/init.d/irqbalance, /etc/rc.d/init.d/openstack-glance-api,
161 /etc/rc.d/init.d/tgtd, /etc/rc.d/init.d/hypervkvpd,
162 /etc/rc.d/init.d/ntop, /etc/rc.d/init.d/cgred, /etc/rc.d/init.d/named,
163 /etc/rc.d/init.d/unbound, /etc/rc.d/init.d/named-sdb,
164 /etc/rc.d/init.d/postfix, /etc/rc.d/init.d/portmap,
165 /etc/rc.d/init.d/ddclient, /etc/rc.d/init.d/mon_statd, /etc/NetworkMan‐
166 ager/dispatcher.d(/.*)?, /usr/lib/NetworkManager/dispatcher.d(/.*)?,
167 /etc/rc.d/init.d/wicd, /usr/libexec/ipa/custodia/ipa-custodia-dmldap,
168 /etc/rc.d/init.d/uuidd, /etc/rc.d/init.d/((audio-entropyd)|(haveged)),
169 /etc/rc.d/init.d/lwiod, /etc/rc.d/init.d/lwsmd,
170 /etc/rc.d/init.d/lsassd, /etc/rc.d/init.d/lwregd,
171 /etc/rc.d/init.d/dcerpcd, /etc/rc.d/init.d/srvsvcd,
172 /etc/rc.d/init.d/likewise, /etc/rc.d/init.d/eventlogd,
173 /etc/rc.d/init.d/netlogond, /etc/rc.d/init.d/dhcpd(6)?,
174 /etc/rc.d/init.d/dhcrelay(6)?, /etc/rc.d/init.d/squid,
175 /etc/rc.d/init.d/openct, /etc/rc.d/init.d/certmaster,
176 /etc/rc.d/init.d/autofs, /etc/rc.d/init.d/pmcd,
177 /usr/libexec/pcp/lib/pmcd, /etc/rc.d/init.d/memcached,
178 /etc/rc.d/init.d/ypserv, /etc/rc.d/init.d/ypxfrd,
179 /etc/rc.d/init.d/yppasswd, /etc/rc.d/init.d/zoneminder,
180 /etc/rc.d/init.d/bacula.*, /etc/rc.d/init.d/privoxy,
181 /etc/rc.d/init.d/cpuplugd, /etc/rc.d/init.d/ypbind,
182 /etc/rc.d/init.d/rwhod, /etc/rc.d/init.d/icecast,
183 /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/couchdb,
184 /etc/rc.d/init.d/apcupsd, /etc/rc.d/init.d/watchdog,
185 /etc/rc.d/init.d/ulogd, /etc/rc.d/init.d/acpid, /etc/rc.d/init.d/abrt,
186 /etc/rc.d/init.d/mysqld, /etc/rc.d/init.d/canna, /etc/rc.d/init.d/pup‐
187 pet, /usr/libexec/ipa/custodia/ipa-custodia-ra-agent,
188 /etc/rc.d/init.d/pmlogger, /usr/libexec/pcp/lib/pmlogger,
189 /etc/rc.d/init.d/zabbix-agentd, /etc/rc.d/init.d/ricci,
190 /etc/rc.d/init.d/gpm, /etc/rc.d/init.d/ksmtuned, /etc/rc.d/init.d/smsd,
191 /etc/rc.d/init.d/ntpd, /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd,
192 /etc/rc.d/init.d/dund, /etc/rc.d/init.d/pand, /etc/rc.d/init.d/blue‐
193 tooth, /etc/rc.d/init.d/(tcsd|trousers),
194 /etc/rc.d/init.d/(snmpd|snmptrapd), /etc/rc.d/init.d/clamd.*,
195 /etc/rc.d/init.d/amavis, /etc/rc.d/init.d/amavisd-snmp,
196 /etc/rc.d/init.d/rngd, /etc/rc.d/init.d/mysqlmanager,
197 /etc/rc.d/init.d/cobblerd, /etc/rc.d/init.d/whatsup-pingd,
198 /etc/init.d/cherokee, /etc/rc.d/init.d/httpd,
199 /etc/rc.d/init.d/lighttpd, /etc/rc.d/init.d/libvirtd,
200 /etc/rc.d/init.d/spice-vdagentd, /etc/rc.d/init.d/denyhosts,
201 /etc/rc.d/init.d/atd, /etc/rc.d/init.d/sssd, /etc/rc.d/init.d/call‐
202 weaver, /etc/rc.d/init.d/psacct, /etc/rc.d/init.d/sanlock,
203 /etc/rc.d/init.d/tor, /etc/rc.d/init.d/mcelog, /etc/rc.d/init.d/mdmoni‐
204 tor, /etc/rc.d/init.d/gatherer, /etc/rc.d/init.d/sblim-sfcbd,
205 /etc/rc.d/init.d/qpidd, /etc/rc.d/init.d/cyphesis,
206 /etc/rc.d/init.d/dictd, /etc/rc.d/init.d/rhsmcertd,
207 /etc/rc.d/init.d/pads, /etc/rc.d/init.d/openvpn,
208 /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/cups,
209 /etc/rc.d/init.d/((iodined)|(iodine-server)), /etc/rc.d/init.d/lldpad,
210 /etc/rc.d/init.d/cyrus.*, /etc/rc.d/init.d/pmproxy,
211 /usr/libexec/pcp/lib/pmproxy, /etc/rc.d/init.d/svnserve,
212 /etc/rc.d/init.d/collectd, /etc/rc.d/init.d/puppetmaster,
213 /etc/rc.d/init.d/varnish, /etc/rc.d/init.d/prelude-lml,
214 /etc/rc.d/init.d/prelude-manager, /etc/rc.d/init.d/prelude-correlator,
215 /etc/rc.d/init.d/bgpd, /etc/rc.d/init.d/ripd, /etc/rc.d/init.d/isisd,
216 /etc/rc.d/init.d/ospfd, /etc/rc.d/init.d/zebra,
217 /etc/rc.d/init.d/babeld, /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/rip‐
218 ngd, /etc/rc.d/init.d/gdomap, /etc/rc.d/init.d/(se)?postgresql,
219 /etc/rc.d/init.d/cvs, /etc/rc.d/init.d/sensord, /etc/rc.d/init.d/ora‐
220 cleasm, /etc/rc.d/init.d/mrtg, /etc/rc.d/init.d/((cf-serverd)|(cf-moni‐
221 tord)|(cf-execd)), /etc/rc.d/init.d/iwhd,
222 /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp,
223 /etc/rc.d/init.d/MailScanner, /etc/rc.d/init.d/sendmail,
224 /etc/rc.d/init.d/openhpid, /etc/rc.d/init.d/redis,
225 /etc/rc.d/init.d/wdmd, /etc/rc.d/init.d/pmie,
226 /usr/libexec/pcp/lib/pmie, /etc/rc.d/init.d/arpwatch,
227 /etc/rc.d/init.d/bitlbee, /etc/rc.d/init.d/pkcsslotd,
228 /etc/rc.d/init.d/nasd, /etc/rc.d/init.d/uucp, /etc/rc.d/init.d/nfslock,
229 /etc/rc.d/init.d/rpcidmapd, /etc/rc.d/init.d/openstack-keystone,
230 /etc/rc.d/init.d/isnsd, /etc/rc.d/init.d/virtlogd,
231 /etc/rc.d/init.d/bcfg2-server, /etc/rc.d/init.d/dovecot,
232 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
233 /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/exim,
234 /etc/rc.d/init.d/sshd, /etc/rc.d/init.d/jabberd, /etc/rc.d/init.d/post‐
235 grey, /etc/rc.d/init.d/rabbitmq-server, /etc/rc.d/init.d/polipo,
236 /etc/rc.d/init.d/snortd, /etc/rc.d/init.d/fcoe, /etc/rc.d/init.d/dns‐
237 masq, /etc/rc.d/init.d/fetchmail, /usr/libexec/ipa/custodia/ipa-custo‐
238 dia-pki-tomcat, /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-
239 wrapped, /etc/rc.d/init.d/openstack-glance-scrubber,
240 /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios, /etc/rc.d/init.d/psad,
241 /etc/rc.d/init.d/mongod, /etc/rc.d/init.d/mongos,
242 /etc/rc.d/init.d/portreserve, /etc/rc.d/init.d/vhostmd,
243 /etc/rc.d/init.d/chronyd, /etc/rc.d/init.d/.*l2tpd,
244 /etc/rc.d/init.d/sslh, /etc/rc.d/init.d/rhnsd, /etc/rc.d/init.d/blkmapd
245
247 SELinux defines process types (domains) for each process running on the
248 system
249
250 You can see the context of a process using the -Z option to ps
251
252 Policy governs the access confined processes have to files. SELinux
253 initrc policy is very flexible allowing users to setup their initrc
254 processes in as secure a method as possible.
255
256 The following process types are defined for initrc:
257
258 initrc_t
259
260 Note: semanage permissive -a initrc_t can be used to make the process
261 type initrc_t permissive. SELinux does not deny access to permissive
262 process types, but the AVC (SELinux denials) messages are still gener‐
263 ated.
264
265
267 SELinux policy is customizable based on least access required. initrc
268 policy is extremely flexible and has several booleans that allow you to
269 manipulate the policy and run initrc with the tightest access possible.
270
271
272
273 If you want to deny user domains applications to map a memory region as
274 both executable and writable, this is dangerous and the executable
275 should be reported in bugzilla, you must turn on the deny_execmem bool‐
276 ean. Enabled by default.
277
278 setsebool -P deny_execmem 1
279
280
281
282 If you want to control the ability to mmap a low area of the address
283 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
284 the mmap_low_allowed boolean. Disabled by default.
285
286 setsebool -P mmap_low_allowed 1
287
288
289
290 If you want to disable kernel module loading, you must turn on the
291 secure_mode_insmod boolean. Enabled by default.
292
293 setsebool -P secure_mode_insmod 1
294
295
296
297 If you want to allow unconfined executables to make their heap memory
298 executable. Doing this is a really bad idea. Probably indicates a
299 badly coded executable, but could indicate an attack. This executable
300 should be reported in bugzilla, you must turn on the selin‐
301 uxuser_execheap boolean. Disabled by default.
302
303 setsebool -P selinuxuser_execheap 1
304
305
306
307 If you want to allow unconfined executables to make their stack exe‐
308 cutable. This should never, ever be necessary. Probably indicates a
309 badly coded executable, but could indicate an attack. This executable
310 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
311 stack boolean. Disabled by default.
312
313 setsebool -P selinuxuser_execstack 1
314
315
316
318 The SELinux process type initrc_t can manage files labeled with the
319 following file types. The paths listed are the default paths for these
320 file types. Note the processes UID still need to have DAC permissions.
321
322 file_type
323
324 all files on the system
325
326
328 SELinux requires files to have an extended attribute to define the file
329 type.
330
331 You can see the context of a file using the -Z option to ls
332
333 Policy governs the access confined processes have to these files.
334 SELinux initrc policy is very flexible allowing users to setup their
335 initrc processes in as secure a method as possible.
336
337 STANDARD FILE CONTEXT
338
339 SELinux defines the file context types for the initrc, if you wanted to
340 store files with these types in a diffent paths, you need to execute
341 the semanage command to sepecify alternate labeling and then use
342 restorecon to put the labels on disk.
343
344 semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
345 restorecon -R -v /srv/myinitrc_content
346
347 Note: SELinux often uses regular expressions to specify labels that
348 match multiple files.
349
350 The following file types are defined for initrc:
351
352
353
354 initrc_devpts_t
355
356 - Set files with the initrc_devpts_t type, if you want to treat the
357 files as initrc devpts data.
358
359
360
361 initrc_exec_t
362
363 - Set files with the initrc_exec_t type, if you want to transition an
364 executable to the initrc_t domain.
365
366
367 Paths:
368 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
369 /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*,
370 /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*,
371 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
372 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-dirsrv,
373 /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
374 fig/network-scripts/ifup-ipsec, /usr/share/system-config-ser‐
375 vices/system-config-services-mechanism.py
376
377
378 initrc_state_t
379
380 - Set files with the initrc_state_t type, if you want to treat the
381 files as initrc state data.
382
383
384
385 initrc_tmp_t
386
387 - Set files with the initrc_tmp_t type, if you want to store initrc
388 temporary files in the /tmp directories.
389
390
391
392 initrc_var_log_t
393
394 - Set files with the initrc_var_log_t type, if you want to treat the
395 data as initrc var log data, usually stored under the /var/log direc‐
396 tory.
397
398
399
400 initrc_var_run_t
401
402 - Set files with the initrc_var_run_t type, if you want to store the
403 initrc files under the /run or /var/run directory.
404
405
406 Paths:
407 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
408 /var/run/setmixer_flag
409
410
411 Note: File context can be temporarily modified with the chcon command.
412 If you want to permanently change the file context you need to use the
413 semanage fcontext command. This will modify the SELinux labeling data‐
414 base. You will need to use restorecon to apply the labels.
415
416
418 semanage fcontext can also be used to manipulate default file context
419 mappings.
420
421 semanage permissive can also be used to manipulate whether or not a
422 process type is permissive.
423
424 semanage module can also be used to enable/disable/install/remove pol‐
425 icy modules.
426
427 semanage boolean can also be used to manipulate the booleans
428
429
430 system-config-selinux is a GUI tool available to customize SELinux pol‐
431 icy settings.
432
433
435 This manual page was auto-generated using sepolicy manpage .
436
437
439 selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepol‐
440 icy(8), setsebool(8)
441
442
443
444initrc 21-03-26 initrc_selinux(8)