1initrc_selinux(8)            SELinux Policy initrc           initrc_selinux(8)
2
3
4

NAME

6       initrc_selinux  -  Security  Enhanced  Linux Policy for the initrc pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  initrc  processes  via  flexible
11       mandatory access control.
12
13       The  initrc  processes  execute with the initrc_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep initrc_t
20
21
22

ENTRYPOINTS

24       The  initrc_t  SELinux  type  can  be  entered  via  the fetchmail_ini‐
25       trc_exec_t,  usr_t,  bcfg2_initrc_exec_t,   zabbix_agent_initrc_exec_t,
26       canna_initrc_exec_t,   zabbix_initrc_exec_t,   rhsmcertd_initrc_exec_t,
27       ricci_initrc_exec_t,  mpd_initrc_exec_t,   roundup_initrc_exec_t,   ra‐
28       diusd_initrc_exec_t,    ipa_custodia_dmldap_exec_t,   pcp_pmlogger_ini‐
29       trc_exec_t,  cyphesis_initrc_exec_t,  cpuplug_initrc_exec_t,  rpcd_ini‐
30       trc_exec_t,    ccs_initrc_exec_t,   foghorn_initrc_exec_t,   squid_ini‐
31       trc_exec_t, pki_ra_script_exec_t, arpwatch_initrc_exec_t,  vhostmd_ini‐
32       trc_exec_t,   uuidd_initrc_exec_t,   kismet_initrc_exec_t,   zebra_ini‐
33       trc_exec_t,  l2tpd_initrc_exec_t,  initrc_exec_t,   ntpd_initrc_exec_t,
34       minidlna_initrc_exec_t,     mon_statd_initrc_exec_t,     smokeping_ini‐
35       trc_exec_t,  innd_initrc_exec_t,  memcached_initrc_exec_t,   spamd_ini‐
36       trc_exec_t,   dhcpd_initrc_exec_t,   sshd_initrc_exec_t,  keystone_ini‐
37       trc_exec_t,    drbd_initrc_exec_t,    named_initrc_exec_t,    osad_ini‐
38       trc_exec_t,  iodined_initrc_exec_t,  cyrus_initrc_exec_t, watchdog_ini‐
39       trc_exec_t,  polipo_initrc_exec_t,   iwhd_initrc_exec_t,   vnstatd_ini‐
40       trc_exec_t,  rpcbind_initrc_exec_t,  bitlbee_initrc_exec_t,  cgred_ini‐
41       trc_exec_t, postgresql_initrc_exec_t, bin_t,  pcp_plugin_initrc_exec_t,
42       tgtd_initrc_exec_t,    saslauthd_initrc_exec_t,   lldpad_initrc_exec_t,
43       avahi_initrc_exec_t, glusterd_initrc_exec_t, slapd_initrc_exec_t,  pup‐
44       petagent_initrc_exec_t,   rabbitmq_initrc_exec_t,  pingd_initrc_exec_t,
45       callweaver_initrc_exec_t,    asterisk_initrc_exec_t,     automount_ini‐
46       trc_exec_t, conntrackd_initrc_exec_t, nfsd_initrc_exec_t, ddclient_ini‐
47       trc_exec_t,   apmd_initrc_exec_t,    lircd_initrc_exec_t,    radvd_ini‐
48       trc_exec_t,  firewalld_initrc_exec_t,  rwho_initrc_exec_t, sysstat_ini‐
49       trc_exec_t, uucpd_initrc_exec_t, pcp_pmproxy_initrc_exec_t,  isnsd_ini‐
50       trc_exec_t,          nis_initrc_exec_t,         cobblerd_initrc_exec_t,
51       pki_tps_script_exec_t,  cgconfig_initrc_exec_t,  icecast_initrc_exec_t,
52       fcoemon_initrc_exec_t, chronyd_initrc_exec_t, cupsd_initrc_exec_t, con‐
53       dor_initrc_exec_t,   certmaster_initrc_exec_t,   prelude_initrc_exec_t,
54       neutron_initrc_exec_t,     rtkit_daemon_initrc_exec_t,     hddtemp_ini‐
55       trc_exec_t,   openhpid_initrc_exec_t,   fsdaemon_initrc_exec_t,    jab‐
56       berd_initrc_exec_t, antivirus_initrc_exec_t, soundd_initrc_exec_t, dns‐
57       masq_initrc_exec_t,   tor_initrc_exec_t,   snmpd_initrc_exec_t,   post‐
58       fix_initrc_exec_t,  dictd_initrc_exec_t,  hypervkvp_initrc_exec_t, col‐
59       lectd_initrc_exec_t,   minissdpd_initrc_exec_t,    clvmd_initrc_exec_t,
60       glance_registry_initrc_exec_t,   munin_initrc_exec_t,  portreserve_ini‐
61       trc_exec_t, certmonger_initrc_exec_t,  pcscd_initrc_exec_t,  sblim_ini‐
62       trc_exec_t,    gpm_initrc_exec_t,    ctdbd_initrc_exec_t,   gdomap_ini‐
63       trc_exec_t,   rhnsd_initrc_exec_t,    oracleasm_initrc_exec_t,    blue‐
64       tooth_initrc_exec_t,     kerberos_initrc_exec_t,    wdmd_initrc_exec_t,
65       kdump_initrc_exec_t,   nagios_initrc_exec_t,    pcp_pmie_initrc_exec_t,
66       amtu_initrc_exec_t,          setrans_initrc_exec_t,          ipa_custo‐
67       dia_ra_agent_exec_t,   irqbalance_initrc_exec_t,    rngd_initrc_exec_t,
68       ulogd_initrc_exec_t,      naemon_initrc_exec_t,     abrt_initrc_exec_t,
69       dspam_initrc_exec_t,    virtd_initrc_exec_t,    pcp_pmcd_initrc_exec_t,
70       slpd_initrc_exec_t,     sendmail_initrc_exec_t,    ciped_initrc_exec_t,
71       tuned_initrc_exec_t,     acct_initrc_exec_t,      mongod_initrc_exec_t,
72       glance_scrubber_initrc_exec_t,     syslogd_initrc_exec_t,     ntop_ini‐
73       trc_exec_t,  cluster_initrc_exec_t,  openvpn_initrc_exec_t,   exim_ini‐
74       trc_exec_t,  glance_api_initrc_exec_t, httpd_initrc_exec_t, mysqld_ini‐
75       trc_exec_t,  samba_initrc_exec_t,  qpidd_initrc_exec_t,   fail2ban_ini‐
76       trc_exec_t,   ipa_custodia_pki_tomcat_exec_t,   postgrey_initrc_exec_t,
77       boinc_initrc_exec_t, virtlogd_initrc_exec_t, pppd_initrc_exec_t,  ajax‐
78       term_initrc_exec_t,       mdadm_initrc_exec_t,      nscd_initrc_exec_t,
79       cfengine_initrc_exec_t,     dlm_controld_initrc_exec_t,      nslcd_ini‐
80       trc_exec_t,   snort_initrc_exec_t,  auditd_initrc_exec_t,  couchdb_ini‐
81       trc_exec_t,   redis_initrc_exec_t,    mscan_initrc_exec_t,    gpsd_ini‐
82       trc_exec_t,   ypbind_initrc_exec_t,   ftpd_initrc_exec_t,  blkmapd_ini‐
83       trc_exec_t,  smsd_initrc_exec_t,  iptables_initrc_exec_t,   mcelog_ini‐
84       trc_exec_t, mysqlmanagerd_initrc_exec_t, dhcpc_helper_exec_t, sssd_ini‐
85       trc_exec_t,     piranha_pulse_initrc_exec_t,      bacula_initrc_exec_t,
86       ipsec_initrc_exec_t,   cmirrord_initrc_exec_t,  entropyd_initrc_exec_t,
87       afs_initrc_exec_t, sensord_initrc_exec_t, sslh_initrc_exec_t, pads_ini‐
88       trc_exec_t,        apcupsd_initrc_exec_t,       varnishd_initrc_exec_t,
89       pkcs_slotd_initrc_exec_t,    ksmtuned_initrc_exec_t,    zoneminder_ini‐
90       trc_exec_t,       sanlock_initrc_exec_t,       shorewall_initrc_exec_t,
91       portmap_initrc_exec_t,    puppetmaster_initrc_exec_t,     vdagentd_ini‐
92       trc_exec_t, denyhosts_initrc_exec_t, varnishlog_initrc_exec_t, Network‐
93       Manager_initrc_exec_t, tcsd_initrc_exec_t, openct_initrc_exec_t,  dove‐
94       cot_initrc_exec_t,      svnserve_initrc_exec_t,     mrtg_initrc_exec_t,
95       privoxy_initrc_exec_t,    crond_initrc_exec_t,     aiccu_initrc_exec_t,
96       cvs_initrc_exec_t,   shell_exec_t,   psad_initrc_exec_t,  likewise_ini‐
97       trc_exec_t file types.
98
99       The default entrypoint paths for the initrc_t domain are the following:
100
101       All executables with the default executable label,  usually  stored  in
102       /usr/bin  and /usr/sbin.  /etc/rc.d/init.d/fetchmail, /opt/.*, /usr/.*,
103       /emul/.*,   /export(/.*)?,   /ostree(/.*)?,   /usr/doc(/.*)?/lib(/.*)?,
104       /usr/inclu.e(/.*)?,                               /usr/share/rpm(/.*)?,
105       /usr/share/doc(/.*)?/README.*,           /usr/lib/modules(/.*)/vmlinuz,
106       /usr/lib/modules(/.*)/initramfs.img,           /usr/lib/sysimage(/.*)?,
107       /usr/lib/ostree-boot(/.*)?,         /opt,         /usr,          /emul,
108       /etc/rc.d/init.d/bcfg2-server,          /etc/rc.d/init.d/zabbix-agentd,
109       /etc/rc.d/init.d/canna,        /etc/rc.d/init.d/(zabbix|zabbix-server),
110       /etc/rc.d/init.d/rhsmcertd,                     /etc/rc.d/init.d/ricci,
111       /etc/rc.d/init.d/mpd,  /etc/rc.d/init.d/roundup,   /etc/rc.d/init.d/ra‐
112       diusd,                   /usr/libexec/ipa/custodia/ipa-custodia-dmldap,
113       /etc/rc.d/init.d/pmlogger,               /usr/libexec/pcp/lib/pmlogger,
114       /etc/rc.d/init.d/cyphesis,                   /etc/rc.d/init.d/cpuplugd,
115       /etc/rc.d/init.d/nfslock,                   /etc/rc.d/init.d/rpcidmapd,
116       /etc/rc.d/init.d/((ccs)|(ccsd)),                /etc/rc.d/init.d/squid,
117       /etc/rc.d/init.d/arpwatch,                    /etc/rc.d/init.d/vhostmd,
118       /etc/rc.d/init.d/uuidd,                      /etc/rc.d/init.d/kismet.*,
119       /etc/rc.d/init.d/bgpd,  /etc/rc.d/init.d/ripd,  /etc/rc.d/init.d/isisd,
120       /etc/rc.d/init.d/ospfd,   /etc/rc.d/init.d/zebra,  /etc/rc.d/init.d/ba‐
121       beld,         /etc/rc.d/init.d/ospf6d,         /etc/rc.d/init.d/ripngd,
122       /etc/rc.d/init.d/.*l2tpd,      /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,
123       /etc/rc.d/init.d/.*,                    /opt/nfast/sbin/init.d-ncipher,
124       /usr/libexec/dcc/stop-.*,    /usr/libexec/dcc/start-.*,   /usr/lib/sys‐
125       temd/fedora[^/]*,     /opt/nfast/scripts/init.d/(.*),     /etc/rc.d/rc,
126       /etc/X11/prefdm,  /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-
127       dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
128       fig/network-scripts/ifup-ipsec,  /usr/share/system-config-services/sys‐
129       tem-config-services-mechanism.py,                /etc/rc.d/init.d/ntpd,
130       /etc/rc.d/init.d/minidlna,                  /etc/rc.d/init.d/mon_statd,
131       /etc/rc.d/init.d/smokeping,                      /etc/rc.d/init.d/innd,
132       /etc/rc.d/init.d/memcached,              /etc/rc.d/init.d/mimedefang.*,
133       /etc/rc.d/init.d/spamd,                        /etc/rc.d/init.d/pyzord,
134       /etc/rc.d/init.d/spampd,                    /etc/rc.d/init.d/dhcpd(6)?,
135       /etc/rc.d/init.d/dhcrelay(6)?,                   /etc/rc.d/init.d/sshd,
136       /etc/rc.d/init.d/openstack-keystone,             /etc/rc.d/init.d/drbd,
137       /etc/rc.d/init.d/named,                       /etc/rc.d/init.d/unbound,
138       /etc/rc.d/init.d/named-sdb,                      /etc/rc.d/init.d/osad,
139       /etc/rc.d/init.d/((iodined)|(iodine-server)), /etc/rc.d/init.d/cyrus.*,
140       /etc/rc.d/init.d/watchdog,                     /etc/rc.d/init.d/polipo,
141       /etc/rc.d/init.d/iwhd,                         /etc/rc.d/init.d/vnstat,
142       /etc/rc.d/init.d/rpcbind,                     /etc/rc.d/init.d/bitlbee,
143       /etc/rc.d/init.d/cgred,               /etc/rc.d/init.d/(se)?postgresql,
144       /etc/rc.d/init.d/tgtd,  /etc/rc.d/init.d/sasl, /etc/rc.d/init.d/lldpad,
145       /etc/rc.d/init.d/avahi.*,  /etc/rc.d/init.d/gluster.*,  /usr/sbin/glus‐
146       terd,          /etc/rc.d/init.d/slapd,         /etc/rc.d/init.d/puppet,
147       /etc/rc.d/init.d/rabbitmq-server,       /etc/rc.d/init.d/whatsup-pingd,
148       /etc/rc.d/init.d/callweaver,                 /etc/rc.d/init.d/asterisk,
149       /etc/rc.d/init.d/autofs,   /etc/rc.d/init.d/nfs,   /etc/rc.d/init.d/dd‐
150       client,          /etc/rc.d/init.d/acpid,         /etc/rc.d/init.d/lirc,
151       /etc/rc.d/init.d/radvd,                     /etc/rc.d/init.d/firewalld,
152       /etc/rc.d/init.d/rwhod,                       /etc/rc.d/init.d/sysstat,
153       /etc/rc.d/init.d/uucp,                        /etc/rc.d/init.d/pmproxy,
154       /usr/libexec/pcp/lib/pmproxy,                   /etc/rc.d/init.d/isnsd,
155       /etc/rc.d/init.d/ypserv, /etc/rc.d/init.d/ypxfrd,  /etc/rc.d/init.d/yp‐
156       passwd,      /etc/rc.d/init.d/cobblerd,      /etc/rc.d/init.d/cgconfig,
157       /etc/rc.d/init.d/icecast,                        /etc/rc.d/init.d/fcoe,
158       /etc/rc.d/init.d/chronyd,  /etc/rc.d/init.d/cups, /etc/rc.d/init.d/con‐
159       dor,     /etc/rc.d/init.d/certmaster,     /etc/rc.d/init.d/prelude-lml,
160       /etc/rc.d/init.d/prelude-manager,  /etc/rc.d/init.d/prelude-correlator,
161       /etc/rc.d/init.d/neutron.*,                 /etc/rc.d/init.d/quantum.*,
162       /etc/rc.d/init.d/rtkit-daemon,                /etc/rc.d/init.d/hddtemp,
163       /etc/rc.d/init.d/openhpid,     /etc/rc.d/init.d/(smartd|smartmontools),
164       /etc/rc.d/init.d/jabberd,                     /etc/rc.d/init.d/clamd.*,
165       /etc/rc.d/init.d/amavis,                 /etc/rc.d/init.d/amavisd-snmp,
166       /etc/rc.d/init.d/nasd,  /etc/rc.d/init.d/dnsmasq, /etc/rc.d/init.d/tor,
167       /etc/rc.d/init.d/(snmpd|snmptrapd),           /etc/rc.d/init.d/postfix,
168       /etc/rc.d/init.d/dictd,                    /etc/rc.d/init.d/hypervkvpd,
169       /etc/rc.d/init.d/collectd,                  /etc/rc.d/init.d/minissdpd,
170       /etc/rc.d/init.d/openstack-glance-registry,     /etc/rc.d/init.d/munin-
171       node,    /etc/rc.d/init.d/portreserve,     /etc/rc.d/init.d/certmonger,
172       /etc/rc.d/init.d/pcscd,                      /etc/rc.d/init.d/gatherer,
173       /etc/rc.d/init.d/sblim-sfcbd,                     /etc/rc.d/init.d/gpm,
174       /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/gdomap, /etc/rc.d/init.d/rhnsd,
175       /etc/rc.d/init.d/oracleasm,                      /etc/rc.d/init.d/dund,
176       /etc/rc.d/init.d/pand,                      /etc/rc.d/init.d/bluetooth,
177       /etc/rc.d/init.d/kprop,                       /etc/rc.d/init.d/kadmind,
178       /etc/rc.d/init.d/krb524d,                     /etc/rc.d/init.d/krb5kdc,
179       /etc/rc.d/init.d/wdmd,  /etc/rc.d/init.d/kdump,  /etc/rc.d/init.d/nrpe,
180       /etc/rc.d/init.d/nagios,                         /etc/rc.d/init.d/pmie,
181       /usr/libexec/pcp/lib/pmie, /etc/rc.d/init.d/amtu,  /etc/rc.d/init.d/mc‐
182       strans,                /usr/libexec/ipa/custodia/ipa-custodia-ra-agent,
183       /etc/rc.d/init.d/irqbalance,                     /etc/rc.d/init.d/rngd,
184       /etc/rc.d/init.d/ulogd, /etc/rc.d/init.d/naemon, /etc/rc.d/init.d/abrt,
185       /etc/rc.d/init.d/dspam,                      /etc/rc.d/init.d/libvirtd,
186       /etc/rc.d/init.d/pmcd,                       /usr/libexec/pcp/lib/pmcd,
187       /etc/rc.d/init.d/slpd,                       /etc/rc.d/init.d/sendmail,
188       /etc/rc.d/init.d/ciped.*,                       /etc/rc.d/init.d/tuned,
189       /etc/rc.d/init.d/psacct, /etc/rc.d/init.d/mongod, /etc/rc.d/init.d/mon‐
190       gos, /etc/rc.d/init.d/openstack-glance-scrubber, /etc/rc.d/init.d/rsys‐
191       log,          /etc/rc.d/init.d/ntop,          /etc/rc.d/init.d/openais,
192       /etc/rc.d/init.d/corosync,                   /etc/rc.d/init.d/cpglockd,
193       /etc/rc.d/init.d/heartbeat,                 /etc/rc.d/init.d/pacemaker,
194       /etc/rc.d/init.d/rgmanager,                   /etc/rc.d/init.d/openvpn,
195       /etc/rc.d/init.d/exim,           /etc/rc.d/init.d/openstack-glance-api,
196       /etc/init.d/cherokee,                           /etc/rc.d/init.d/httpd,
197       /etc/rc.d/init.d/lighttpd,                     /etc/rc.d/init.d/mysqld,
198       /etc/rc.d/init.d/nmb,  /etc/rc.d/init.d/smb,  /etc/rc.d/init.d/winbind,
199       /etc/rc.d/init.d/qpidd,                      /etc/rc.d/init.d/fail2ban,
200       /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat,
201       /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped,
202       /etc/rc.d/init.d/postgrey,               /etc/rc.d/init.d/boinc-client,
203       /etc/rc.d/init.d/virtlogd,         /etc/ppp/(auth|ip(v6|x)?)-(up|down),
204       /etc/rc.d/init.d/ppp,  /etc/rc.d/init.d/ajaxterm,  /etc/rc.d/init.d/md‐
205       monitor, /etc/rc.d/init.d/nscd, /etc/rc.d/init.d/((cf-serverd)|(cf-mon‐
206       itord)|(cf-execd)),   /etc/rc.d/init.d/nslcd,  /etc/rc.d/init.d/snortd,
207       /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/couchdb, /etc/rc.d/init.d/re‐
208       dis,        /etc/rc.d/init.d/MailScanner,        /etc/rc.d/init.d/gpsd,
209       /etc/rc.d/init.d/ypbind,                       /etc/rc.d/init.d/vsftpd,
210       /etc/rc.d/init.d/proftpd,                     /etc/rc.d/init.d/blkmapd,
211       /etc/rc.d/init.d/smsd,                     /etc/rc.d/init.d/ip6?tables,
212       /etc/rc.d/init.d/ebtables,                   /etc/rc.d/init.d/nftables,
213       /etc/rc.d/init.d/mcelog,                 /etc/rc.d/init.d/mysqlmanager,
214       /etc/firestarter/firestarter.sh,                 /etc/rc.d/init.d/sssd,
215       /etc/rc.d/init.d/pulse,                      /etc/rc.d/init.d/bacula.*,
216       /etc/rc.d/init.d/ipsec,                        /etc/rc.d/init.d/racoon,
217       /etc/rc.d/init.d/strongswan,                 /etc/rc.d/init.d/cmirrord,
218       /etc/rc.d/init.d/((audio-entropyd)|(haveged)),
219       /etc/rc.d/init.d/(open)?afs,           /etc/rc.d/init.d/openafs-client,
220       /etc/rc.d/init.d/sensord, /etc/rc.d/init.d/sslh, /etc/rc.d/init.d/pads,
221       /etc/rc.d/init.d/apcupsd,                     /etc/rc.d/init.d/varnish,
222       /etc/rc.d/init.d/pkcsslotd,                  /etc/rc.d/init.d/ksmtuned,
223       /etc/rc.d/init.d/zoneminder,                  /etc/rc.d/init.d/sanlock,
224       /etc/rc.d/init.d/shorewall.*,                 /etc/rc.d/init.d/portmap,
225       /etc/rc.d/init.d/puppetmaster,         /etc/rc.d/init.d/spice-vdagentd,
226       /etc/rc.d/init.d/denyhosts,                /etc/rc.d/init.d/varnishlog,
227       /etc/rc.d/init.d/varnishncsa,   /etc/NetworkManager/dispatcher.d(/.*)?,
228       /usr/lib/NetworkManager/dispatcher.d(/.*)?,      /etc/rc.d/init.d/wicd,
229       /etc/rc.d/init.d/(tcsd|trousers),              /etc/rc.d/init.d/openct,
230       /etc/rc.d/init.d/dovecot,                    /etc/rc.d/init.d/svnserve,
231       /etc/rc.d/init.d/mrtg, /etc/rc.d/init.d/privoxy,  /etc/rc.d/init.d/atd,
232       /etc/rc.d/init.d/aiccu,  /etc/rc.d/init.d/cvs,  /bin/d?ash, /bin/ksh.*,
233       /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh,
234       /bin/bash,   /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,  /bin/yash,
235       /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash,  /usr/bin/fish,
236       /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,     /usr/bin/yash,
237       /usr/bin/bash2,  /usr/sbin/sesh,   /usr/sbin/smrsh,   /usr/bin/scponly,
238       /usr/libexec/sesh,        /usr/sbin/nologin,        /usr/bin/git-shell,
239       /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,   /usr/bin/cockpit-bridge,
240       /usr/libexec/cockpit-agent,            /usr/libexec/git-core/git-shell,
241       /etc/rc.d/init.d/psad, /etc/rc.d/init.d/lwiod,  /etc/rc.d/init.d/lwsmd,
242       /etc/rc.d/init.d/lsassd,                       /etc/rc.d/init.d/lwregd,
243       /etc/rc.d/init.d/dcerpcd,                     /etc/rc.d/init.d/srvsvcd,
244       /etc/rc.d/init.d/likewise,                  /etc/rc.d/init.d/eventlogd,
245       /etc/rc.d/init.d/netlogond
246

PROCESS TYPES

248       SELinux defines process types (domains) for each process running on the
249       system
250
251       You can see the context of a process using the -Z option to ps
252
253       Policy  governs  the  access confined processes have to files.  SELinux
254       initrc policy is very flexible allowing users  to  setup  their  initrc
255       processes in as secure a method as possible.
256
257       The following process types are defined for initrc:
258
259       initrc_t
260
261       Note:  semanage  permissive -a initrc_t can be used to make the process
262       type initrc_t permissive. SELinux does not deny  access  to  permissive
263       process  types, but the AVC (SELinux denials) messages are still gener‐
264       ated.
265
266

BOOLEANS

268       SELinux policy is customizable based on least access required.   initrc
269       policy is extremely flexible and has several booleans that allow you to
270       manipulate the policy and run initrc with the tightest access possible.
271
272
273
274       If you want to deny user domains applications to map a memory region as
275       both  executable  and  writable,  this  is dangerous and the executable
276       should be reported in bugzilla, you must turn on the deny_execmem bool‐
277       ean. Enabled by default.
278
279       setsebool -P deny_execmem 1
280
281
282
283       If  you  want  to control the ability to mmap a low area of the address
284       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
285       the mmap_low_allowed boolean. Disabled by default.
286
287       setsebool -P mmap_low_allowed 1
288
289
290
291       If  you want to disable kernel module loading, you must turn on the se‐
292       cure_mode_insmod boolean. Enabled by default.
293
294       setsebool -P secure_mode_insmod 1
295
296
297
298       If you want to allow unconfined executables to make their  heap  memory
299       executable.   Doing  this  is  a  really bad idea. Probably indicates a
300       badly coded executable, but could indicate an attack.  This  executable
301       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
302       echeap boolean. Disabled by default.
303
304       setsebool -P selinuxuser_execheap 1
305
306
307
308       If you want to allow unconfined executables to make  their  stack  exe‐
309       cutable.   This  should  never, ever be necessary. Probably indicates a
310       badly coded executable, but could indicate an attack.  This  executable
311       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
312       stack boolean. Enabled by default.
313
314       setsebool -P selinuxuser_execstack 1
315
316
317

MANAGED FILES

319       The SELinux process type initrc_t can manage  files  labeled  with  the
320       following file types.  The paths listed are the default paths for these
321       file types.  Note the processes UID still need to have DAC permissions.
322
323       file_type
324
325            all files on the system
326
327

FILE CONTEXTS

329       SELinux requires files to have an extended attribute to define the file
330       type.
331
332       You can see the context of a file using the -Z option to ls
333
334       Policy  governs  the  access  confined  processes  have to these files.
335       SELinux initrc policy is very flexible allowing users  to  setup  their
336       initrc processes in as secure a method as possible.
337
338       STANDARD FILE CONTEXT
339
340       SELinux defines the file context types for the initrc, if you wanted to
341       store files with these types in a diffent paths, you  need  to  execute
342       the  semanage  command  to sepecify alternate labeling and then use re‐
343       storecon to put the labels on disk.
344
345       semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
346       restorecon -R -v /srv/myinitrc_content
347
348       Note: SELinux often uses regular expressions  to  specify  labels  that
349       match multiple files.
350
351       The following file types are defined for initrc:
352
353
354
355       initrc_devpts_t
356
357       -  Set  files  with  the initrc_devpts_t type, if you want to treat the
358       files as initrc devpts data.
359
360
361
362       initrc_exec_t
363
364       - Set files with the initrc_exec_t type, if you want to  transition  an
365       executable to the initrc_t domain.
366
367
368       Paths:
369            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
370            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
371            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
372            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
373            /usr/sbin/startx,    /usr/bin/sepg_ctl,    /usr/sbin/start-dirsrv,
374            /usr/sbin/open_init_pty,  /usr/sbin/restart-dirsrv,   /etc/syscon‐
375            fig/network-scripts/ifup-ipsec,      /usr/share/system-config-ser‐
376            vices/system-config-services-mechanism.py
377
378
379       initrc_state_t
380
381       - Set files with the initrc_state_t type, if  you  want  to  treat  the
382       files as initrc state data.
383
384
385
386       initrc_tmp_t
387
388       -  Set  files  with  the initrc_tmp_t type, if you want to store initrc
389       temporary files in the /tmp directories.
390
391
392
393       initrc_var_log_t
394
395       - Set files with the initrc_var_log_t type, if you want  to  treat  the
396       data  as  initrc var log data, usually stored under the /var/log direc‐
397       tory.
398
399
400
401       initrc_var_run_t
402
403       - Set files with the initrc_var_run_t type, if you want  to  store  the
404       initrc files under the /run or /var/run directory.
405
406
407       Paths:
408            /var/run/utmp,     /var/run/random-seed,    /var/run/runlevel.dir,
409            /var/run/setmixer_flag
410
411
412       Note: File context can be temporarily modified with the chcon  command.
413       If  you want to permanently change the file context you need to use the
414       semanage fcontext command.  This will modify the SELinux labeling data‐
415       base.  You will need to use restorecon to apply the labels.
416
417

COMMANDS

419       semanage  fcontext  can also be used to manipulate default file context
420       mappings.
421
422       semanage permissive can also be used to manipulate  whether  or  not  a
423       process type is permissive.
424
425       semanage  module can also be used to enable/disable/install/remove pol‐
426       icy modules.
427
428       semanage boolean can also be used to manipulate the booleans
429
430
431       system-config-selinux is a GUI tool available to customize SELinux pol‐
432       icy settings.
433
434

AUTHOR

436       This manual page was auto-generated using sepolicy manpage .
437
438

SEE ALSO

440       selinux(8),  initrc(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
441       icy(8), setsebool(8)
442
443
444
445initrc                             21-06-09                  initrc_selinux(8)
Impressum