1initrc_selinux(8) SELinux Policy initrc initrc_selinux(8)
2
6 initrc_selinux - Security Enhanced Linux Policy for the initrc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the initrc processes via flexible
11 mandatory access control.
12 The initrc processes execute with the initrc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep initrc_t
20
24 The initrc_t SELinux type can be entered via the fetchmail_ini‐
25 trc_exec_t, usr_t, bcfg2_initrc_exec_t, zabbix_agent_initrc_exec_t,
26 canna_initrc_exec_t, zabbix_initrc_exec_t, rhsmcertd_initrc_exec_t,
27 ricci_initrc_exec_t, mpd_initrc_exec_t, roundup_initrc_exec_t, ra‐
28 diusd_initrc_exec_t, ipa_custodia_dmldap_exec_t, pcp_pmlogger_ini‐
29 trc_exec_t, cyphesis_initrc_exec_t, cpuplug_initrc_exec_t, rpcd_ini‐
30 trc_exec_t, ccs_initrc_exec_t, foghorn_initrc_exec_t, squid_ini‐
31 trc_exec_t, pki_ra_script_exec_t, arpwatch_initrc_exec_t, vhostmd_ini‐
32 trc_exec_t, uuidd_initrc_exec_t, kismet_initrc_exec_t, zebra_ini‐
33 trc_exec_t, l2tpd_initrc_exec_t, initrc_exec_t, ntpd_initrc_exec_t,
34 minidlna_initrc_exec_t, mon_statd_initrc_exec_t, smokeping_ini‐
35 trc_exec_t, innd_initrc_exec_t, memcached_initrc_exec_t, spamd_ini‐
36 trc_exec_t, dhcpd_initrc_exec_t, sshd_initrc_exec_t, keystone_ini‐
37 trc_exec_t, drbd_initrc_exec_t, named_initrc_exec_t, osad_ini‐
38 trc_exec_t, iodined_initrc_exec_t, cyrus_initrc_exec_t, watchdog_ini‐
39 trc_exec_t, polipo_initrc_exec_t, iwhd_initrc_exec_t, vnstatd_ini‐
40 trc_exec_t, rpcbind_initrc_exec_t, bitlbee_initrc_exec_t, cgred_ini‐
41 trc_exec_t, postgresql_initrc_exec_t, bin_t, pcp_plugin_initrc_exec_t,
42 tgtd_initrc_exec_t, saslauthd_initrc_exec_t, lldpad_initrc_exec_t,
43 avahi_initrc_exec_t, glusterd_initrc_exec_t, slapd_initrc_exec_t, pup‐
44 petagent_initrc_exec_t, rabbitmq_initrc_exec_t, pingd_initrc_exec_t,
45 callweaver_initrc_exec_t, asterisk_initrc_exec_t, automount_ini‐
46 trc_exec_t, conntrackd_initrc_exec_t, nfsd_initrc_exec_t, ddclient_ini‐
47 trc_exec_t, apmd_initrc_exec_t, lircd_initrc_exec_t, radvd_ini‐
48 trc_exec_t, firewalld_initrc_exec_t, rwho_initrc_exec_t, sysstat_ini‐
49 trc_exec_t, uucpd_initrc_exec_t, pcp_pmproxy_initrc_exec_t, isnsd_ini‐
50 trc_exec_t, nis_initrc_exec_t, cobblerd_initrc_exec_t,
51 pki_tps_script_exec_t, cgconfig_initrc_exec_t, icecast_initrc_exec_t,
52 fcoemon_initrc_exec_t, chronyd_initrc_exec_t, cupsd_initrc_exec_t, con‐
53 dor_initrc_exec_t, certmaster_initrc_exec_t, prelude_initrc_exec_t,
54 neutron_initrc_exec_t, rtkit_daemon_initrc_exec_t, hddtemp_ini‐
55 trc_exec_t, openhpid_initrc_exec_t, fsdaemon_initrc_exec_t, jab‐
56 berd_initrc_exec_t, antivirus_initrc_exec_t, soundd_initrc_exec_t, dns‐
57 masq_initrc_exec_t, tor_initrc_exec_t, snmpd_initrc_exec_t, post‐
58 fix_initrc_exec_t, dictd_initrc_exec_t, hypervkvp_initrc_exec_t, col‐
59 lectd_initrc_exec_t, minissdpd_initrc_exec_t, clvmd_initrc_exec_t,
60 glance_registry_initrc_exec_t, munin_initrc_exec_t, portreserve_ini‐
61 trc_exec_t, certmonger_initrc_exec_t, pcscd_initrc_exec_t, sblim_ini‐
62 trc_exec_t, gpm_initrc_exec_t, ctdbd_initrc_exec_t, gdomap_ini‐
63 trc_exec_t, rhnsd_initrc_exec_t, oracleasm_initrc_exec_t, blue‐
64 tooth_initrc_exec_t, kerberos_initrc_exec_t, wdmd_initrc_exec_t,
65 kdump_initrc_exec_t, nagios_initrc_exec_t, pcp_pmie_initrc_exec_t,
66 amtu_initrc_exec_t, setrans_initrc_exec_t, ipa_custo‐
67 dia_ra_agent_exec_t, irqbalance_initrc_exec_t, rngd_initrc_exec_t,
68 ulogd_initrc_exec_t, naemon_initrc_exec_t, abrt_initrc_exec_t,
69 dspam_initrc_exec_t, virtd_initrc_exec_t, pcp_pmcd_initrc_exec_t,
70 slpd_initrc_exec_t, sendmail_initrc_exec_t, ciped_initrc_exec_t,
71 tuned_initrc_exec_t, acct_initrc_exec_t, mongod_initrc_exec_t,
72 glance_scrubber_initrc_exec_t, syslogd_initrc_exec_t, ntop_ini‐
73 trc_exec_t, cluster_initrc_exec_t, openvpn_initrc_exec_t, exim_ini‐
74 trc_exec_t, glance_api_initrc_exec_t, httpd_initrc_exec_t, mysqld_ini‐
75 trc_exec_t, samba_initrc_exec_t, qpidd_initrc_exec_t, fail2ban_ini‐
76 trc_exec_t, ipa_custodia_pki_tomcat_exec_t, postgrey_initrc_exec_t,
77 boinc_initrc_exec_t, virtlogd_initrc_exec_t, pppd_initrc_exec_t, ajax‐
78 term_initrc_exec_t, mdadm_initrc_exec_t, nscd_initrc_exec_t,
79 cfengine_initrc_exec_t, dlm_controld_initrc_exec_t, nslcd_ini‐
80 trc_exec_t, snort_initrc_exec_t, auditd_initrc_exec_t, couchdb_ini‐
81 trc_exec_t, redis_initrc_exec_t, mscan_initrc_exec_t, gpsd_ini‐
82 trc_exec_t, ypbind_initrc_exec_t, ftpd_initrc_exec_t, blkmapd_ini‐
83 trc_exec_t, smsd_initrc_exec_t, iptables_initrc_exec_t, mcelog_ini‐
84 trc_exec_t, mysqlmanagerd_initrc_exec_t, dhcpc_helper_exec_t, sssd_ini‐
85 trc_exec_t, piranha_pulse_initrc_exec_t, bacula_initrc_exec_t,
86 ipsec_initrc_exec_t, cmirrord_initrc_exec_t, entropyd_initrc_exec_t,
87 afs_initrc_exec_t, sensord_initrc_exec_t, sslh_initrc_exec_t, pads_ini‐
88 trc_exec_t, apcupsd_initrc_exec_t, varnishd_initrc_exec_t,
89 pkcs_slotd_initrc_exec_t, ksmtuned_initrc_exec_t, zoneminder_ini‐
90 trc_exec_t, sanlock_initrc_exec_t, shorewall_initrc_exec_t,
91 portmap_initrc_exec_t, puppetmaster_initrc_exec_t, vdagentd_ini‐
92 trc_exec_t, denyhosts_initrc_exec_t, varnishlog_initrc_exec_t, Network‐
93 Manager_initrc_exec_t, tcsd_initrc_exec_t, openct_initrc_exec_t, dove‐
94 cot_initrc_exec_t, svnserve_initrc_exec_t, mrtg_initrc_exec_t,
95 privoxy_initrc_exec_t, crond_initrc_exec_t, aiccu_initrc_exec_t,
96 cvs_initrc_exec_t, shell_exec_t, psad_initrc_exec_t, likewise_ini‐
97 trc_exec_t file types.
98 The default entrypoint paths for the initrc_t domain are the following:
100 All executables with the default executable label, usually stored in
102 /usr/bin and /usr/sbin. /etc/rc.d/init.d/fetchmail, /opt/.*, /usr/.*,
103 /emul/.*, /export(/.*)?, /ostree(/.*)?, /usr/doc(/.*)?/lib(/.*)?,
104 /usr/inclu.e(/.*)?, /usr/share/rpm(/.*)?,
105 /usr/share/doc(/.*)?/README.*, /usr/lib/modules(/.*)/vmlinuz,
106 /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysimage(/.*)?,
107 /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul,
108 /etc/rc.d/init.d/bcfg2-server, /etc/rc.d/init.d/zabbix-agentd,
109 /etc/rc.d/init.d/canna, /etc/rc.d/init.d/(zabbix|zabbix-server),
110 /etc/rc.d/init.d/rhsmcertd, /etc/rc.d/init.d/ricci,
111 /etc/rc.d/init.d/mpd, /etc/rc.d/init.d/roundup, /etc/rc.d/init.d/ra‐
112 diusd, /usr/libexec/ipa/custodia/ipa-custodia-dmldap,
113 /etc/rc.d/init.d/pmlogger, /usr/libexec/pcp/lib/pmlogger,
114 /etc/rc.d/init.d/cyphesis, /etc/rc.d/init.d/cpuplugd,
115 /etc/rc.d/init.d/nfslock, /etc/rc.d/init.d/rpcidmapd,
116 /etc/rc.d/init.d/((ccs)|(ccsd)), /etc/rc.d/init.d/squid,
117 /etc/rc.d/init.d/arpwatch, /etc/rc.d/init.d/vhostmd,
118 /etc/rc.d/init.d/uuidd, /etc/rc.d/init.d/kismet.*,
119 /etc/rc.d/init.d/bgpd, /etc/rc.d/init.d/ripd, /etc/rc.d/init.d/isisd,
120 /etc/rc.d/init.d/ospfd, /etc/rc.d/init.d/zebra, /etc/rc.d/init.d/ba‐
121 beld, /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/ripngd,
122 /etc/rc.d/init.d/.*l2tpd, /etc/init.d/.*, /etc/rc.d/rc.[^/]+,
123 /etc/rc.d/init.d/.*, /opt/nfast/sbin/init.d-ncipher,
124 /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /usr/lib/sys‐
125 temd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc,
126 /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-
127 dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
128 fig/network-scripts/ifup-ipsec, /usr/share/system-config-services/sys‐
129 tem-config-services-mechanism.py, /etc/rc.d/init.d/ntpd,
130 /etc/rc.d/init.d/minidlna, /etc/rc.d/init.d/mon_statd,
131 /etc/rc.d/init.d/smokeping, /etc/rc.d/init.d/innd,
132 /etc/rc.d/init.d/memcached, /etc/rc.d/init.d/mimedefang.*,
133 /etc/rc.d/init.d/spamd, /etc/rc.d/init.d/pyzord,
134 /etc/rc.d/init.d/spampd, /etc/rc.d/init.d/dhcpd(6)?,
135 /etc/rc.d/init.d/dhcrelay(6)?, /etc/rc.d/init.d/sshd,
136 /etc/rc.d/init.d/openstack-keystone, /etc/rc.d/init.d/drbd,
137 /etc/rc.d/init.d/named, /etc/rc.d/init.d/unbound,
138 /etc/rc.d/init.d/named-sdb, /etc/rc.d/init.d/osad,
139 /etc/rc.d/init.d/((iodined)|(iodine-server)), /etc/rc.d/init.d/cyrus.*,
140 /etc/rc.d/init.d/watchdog, /etc/rc.d/init.d/polipo,
141 /etc/rc.d/init.d/iwhd, /etc/rc.d/init.d/vnstat,
142 /etc/rc.d/init.d/rpcbind, /etc/rc.d/init.d/bitlbee,
143 /etc/rc.d/init.d/cgred, /etc/rc.d/init.d/(se)?postgresql,
144 /etc/rc.d/init.d/tgtd, /etc/rc.d/init.d/sasl, /etc/rc.d/init.d/lldpad,
145 /etc/rc.d/init.d/avahi.*, /etc/rc.d/init.d/gluster.*, /usr/sbin/glus‐
146 terd, /etc/rc.d/init.d/slapd, /etc/rc.d/init.d/puppet,
147 /etc/rc.d/init.d/rabbitmq-server, /etc/rc.d/init.d/whatsup-pingd,
148 /etc/rc.d/init.d/callweaver, /etc/rc.d/init.d/asterisk,
149 /etc/rc.d/init.d/autofs, /etc/rc.d/init.d/nfs, /etc/rc.d/init.d/dd‐
150 client, /etc/rc.d/init.d/acpid, /etc/rc.d/init.d/lirc,
151 /etc/rc.d/init.d/radvd, /etc/rc.d/init.d/firewalld,
152 /etc/rc.d/init.d/rwhod, /etc/rc.d/init.d/sysstat,
153 /etc/rc.d/init.d/uucp, /etc/rc.d/init.d/pmproxy,
154 /usr/libexec/pcp/lib/pmproxy, /etc/rc.d/init.d/isnsd,
155 /etc/rc.d/init.d/ypserv, /etc/rc.d/init.d/ypxfrd, /etc/rc.d/init.d/yp‐
156 passwd, /etc/rc.d/init.d/cobblerd, /etc/rc.d/init.d/cgconfig,
157 /etc/rc.d/init.d/icecast, /etc/rc.d/init.d/fcoe,
158 /etc/rc.d/init.d/chronyd, /etc/rc.d/init.d/cups, /etc/rc.d/init.d/con‐
159 dor, /etc/rc.d/init.d/certmaster, /etc/rc.d/init.d/prelude-lml,
160 /etc/rc.d/init.d/prelude-manager, /etc/rc.d/init.d/prelude-correlator,
161 /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*,
162 /etc/rc.d/init.d/rtkit-daemon, /etc/rc.d/init.d/hddtemp,
163 /etc/rc.d/init.d/openhpid, /etc/rc.d/init.d/(smartd|smartmontools),
164 /etc/rc.d/init.d/jabberd, /etc/rc.d/init.d/clamd.*,
165 /etc/rc.d/init.d/amavis, /etc/rc.d/init.d/amavisd-snmp,
166 /etc/rc.d/init.d/nasd, /etc/rc.d/init.d/dnsmasq, /etc/rc.d/init.d/tor,
167 /etc/rc.d/init.d/(snmpd|snmptrapd), /etc/rc.d/init.d/postfix,
168 /etc/rc.d/init.d/dictd, /etc/rc.d/init.d/hypervkvpd,
169 /etc/rc.d/init.d/collectd, /etc/rc.d/init.d/minissdpd,
170 /etc/rc.d/init.d/openstack-glance-registry, /etc/rc.d/init.d/munin-
171 node, /etc/rc.d/init.d/portreserve, /etc/rc.d/init.d/certmonger,
172 /etc/rc.d/init.d/pcscd, /etc/rc.d/init.d/gatherer,
173 /etc/rc.d/init.d/sblim-sfcbd, /etc/rc.d/init.d/gpm,
174 /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/gdomap, /etc/rc.d/init.d/rhnsd,
175 /etc/rc.d/init.d/oracleasm, /etc/rc.d/init.d/dund,
176 /etc/rc.d/init.d/pand, /etc/rc.d/init.d/bluetooth,
177 /etc/rc.d/init.d/kprop, /etc/rc.d/init.d/kadmind,
178 /etc/rc.d/init.d/krb524d, /etc/rc.d/init.d/krb5kdc,
179 /etc/rc.d/init.d/wdmd, /etc/rc.d/init.d/kdump, /etc/rc.d/init.d/nrpe,
180 /etc/rc.d/init.d/nagios, /etc/rc.d/init.d/pmie,
181 /usr/libexec/pcp/lib/pmie, /etc/rc.d/init.d/amtu, /etc/rc.d/init.d/mc‐
182 strans, /usr/libexec/ipa/custodia/ipa-custodia-ra-agent,
183 /etc/rc.d/init.d/irqbalance, /etc/rc.d/init.d/rngd,
184 /etc/rc.d/init.d/ulogd, /etc/rc.d/init.d/naemon, /etc/rc.d/init.d/abrt,
185 /etc/rc.d/init.d/dspam, /etc/rc.d/init.d/libvirtd,
186 /etc/rc.d/init.d/pmcd, /usr/libexec/pcp/lib/pmcd,
187 /etc/rc.d/init.d/slpd, /etc/rc.d/init.d/sendmail,
188 /etc/rc.d/init.d/ciped.*, /etc/rc.d/init.d/tuned,
189 /etc/rc.d/init.d/psacct, /etc/rc.d/init.d/mongod, /etc/rc.d/init.d/mon‐
190 gos, /etc/rc.d/init.d/openstack-glance-scrubber, /etc/rc.d/init.d/rsys‐
191 log, /etc/rc.d/init.d/ntop, /etc/rc.d/init.d/openais,
192 /etc/rc.d/init.d/corosync, /etc/rc.d/init.d/cpglockd,
193 /etc/rc.d/init.d/heartbeat, /etc/rc.d/init.d/pacemaker,
194 /etc/rc.d/init.d/rgmanager, /etc/rc.d/init.d/openvpn,
195 /etc/rc.d/init.d/exim, /etc/rc.d/init.d/openstack-glance-api,
196 /etc/init.d/cherokee, /etc/rc.d/init.d/httpd,
197 /etc/rc.d/init.d/lighttpd, /etc/rc.d/init.d/mysqld,
198 /etc/rc.d/init.d/nmb, /etc/rc.d/init.d/smb, /etc/rc.d/init.d/winbind,
199 /etc/rc.d/init.d/qpidd, /etc/rc.d/init.d/fail2ban,
200 /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat,
201 /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped,
202 /etc/rc.d/init.d/postgrey, /etc/rc.d/init.d/boinc-client,
203 /etc/rc.d/init.d/virtlogd, /etc/ppp/(auth|ip(v6|x)?)-(up|down),
204 /etc/rc.d/init.d/ppp, /etc/rc.d/init.d/ajaxterm, /etc/rc.d/init.d/md‐
205 monitor, /etc/rc.d/init.d/nscd, /etc/rc.d/init.d/((cf-serverd)|(cf-mon‐
206 itord)|(cf-execd)), /etc/rc.d/init.d/nslcd, /etc/rc.d/init.d/snortd,
207 /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/couchdb, /etc/rc.d/init.d/re‐
208 dis, /etc/rc.d/init.d/MailScanner, /etc/rc.d/init.d/gpsd,
209 /etc/rc.d/init.d/ypbind, /etc/rc.d/init.d/vsftpd,
210 /etc/rc.d/init.d/proftpd, /etc/rc.d/init.d/blkmapd,
211 /etc/rc.d/init.d/smsd, /etc/rc.d/init.d/ip6?tables,
212 /etc/rc.d/init.d/ebtables, /etc/rc.d/init.d/nftables,
213 /etc/rc.d/init.d/mcelog, /etc/rc.d/init.d/mysqlmanager,
214 /etc/firestarter/firestarter.sh, /etc/rc.d/init.d/sssd,
215 /etc/rc.d/init.d/pulse, /etc/rc.d/init.d/bacula.*,
216 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
217 /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/cmirrord,
218 /etc/rc.d/init.d/((audio-entropyd)|(haveged)),
219 /etc/rc.d/init.d/(open)?afs, /etc/rc.d/init.d/openafs-client,
220 /etc/rc.d/init.d/sensord, /etc/rc.d/init.d/sslh, /etc/rc.d/init.d/pads,
221 /etc/rc.d/init.d/apcupsd, /etc/rc.d/init.d/varnish,
222 /etc/rc.d/init.d/pkcsslotd, /etc/rc.d/init.d/ksmtuned,
223 /etc/rc.d/init.d/zoneminder, /etc/rc.d/init.d/sanlock,
224 /etc/rc.d/init.d/shorewall.*, /etc/rc.d/init.d/portmap,
225 /etc/rc.d/init.d/puppetmaster, /etc/rc.d/init.d/spice-vdagentd,
226 /etc/rc.d/init.d/denyhosts, /etc/rc.d/init.d/varnishlog,
227 /etc/rc.d/init.d/varnishncsa, /etc/NetworkManager/dispatcher.d(/.*)?,
228 /usr/lib/NetworkManager/dispatcher.d(/.*)?, /etc/rc.d/init.d/wicd,
229 /etc/rc.d/init.d/(tcsd|trousers), /etc/rc.d/init.d/openct,
230 /etc/rc.d/init.d/dovecot, /etc/rc.d/init.d/svnserve,
231 /etc/rc.d/init.d/mrtg, /etc/rc.d/init.d/privoxy, /etc/rc.d/init.d/atd,
232 /etc/rc.d/init.d/aiccu, /etc/rc.d/init.d/cvs, /bin/d?ash, /bin/ksh.*,
233 /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh,
234 /bin/bash, /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
235 /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash, /usr/bin/fish,
236 /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
237 /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
238 /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-shell,
239 /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
240 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell,
241 /etc/rc.d/init.d/psad, /etc/rc.d/init.d/lwiod, /etc/rc.d/init.d/lwsmd,
242 /etc/rc.d/init.d/lsassd, /etc/rc.d/init.d/lwregd,
243 /etc/rc.d/init.d/dcerpcd, /etc/rc.d/init.d/srvsvcd,
244 /etc/rc.d/init.d/likewise, /etc/rc.d/init.d/eventlogd,
245 /etc/rc.d/init.d/netlogond
246
248 SELinux defines process types (domains) for each process running on the
249 system
250 You can see the context of a process using the -Z option to ps
252 Policy governs the access confined processes have to files. SELinux
254 initrc policy is very flexible allowing users to setup their initrc
255 processes in as secure a method as possible.
256 The following process types are defined for initrc:
258 initrc_t
260 Note: semanage permissive -a initrc_t can be used to make the process
262 type initrc_t permissive. SELinux does not deny access to permissive
263 process types, but the AVC (SELinux denials) messages are still gener‐
264 ated.
265
268 SELinux policy is customizable based on least access required. initrc
269 policy is extremely flexible and has several booleans that allow you to
270 manipulate the policy and run initrc with the tightest access possible.
271 If you want to deny user domains applications to map a memory region as
275 both executable and writable, this is dangerous and the executable
276 should be reported in bugzilla, you must turn on the deny_execmem bool‐
277 ean. Enabled by default.
278 setsebool -P deny_execmem 1
280 If you want to control the ability to mmap a low area of the address
284 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
285 the mmap_low_allowed boolean. Disabled by default.
286 setsebool -P mmap_low_allowed 1
288 If you want to disable kernel module loading, you must turn on the se‐
292 cure_mode_insmod boolean. Enabled by default.
293 setsebool -P secure_mode_insmod 1
295 If you want to allow unconfined executables to make their heap memory
299 executable. Doing this is a really bad idea. Probably indicates a
300 badly coded executable, but could indicate an attack. This executable
301 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
302 echeap boolean. Disabled by default.
303 setsebool -P selinuxuser_execheap 1
305 If you want to allow unconfined executables to make their stack exe‐
309 cutable. This should never, ever be necessary. Probably indicates a
310 badly coded executable, but could indicate an attack. This executable
311 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
312 stack boolean. Enabled by default.
313 setsebool -P selinuxuser_execstack 1
315
319 The SELinux process type initrc_t can manage files labeled with the
320 following file types. The paths listed are the default paths for these
321 file types. Note the processes UID still need to have DAC permissions.
322 file_type
324 all files on the system
326
329 SELinux requires files to have an extended attribute to define the file
330 type.
331 You can see the context of a file using the -Z option to ls
333 Policy governs the access confined processes have to these files.
335 SELinux initrc policy is very flexible allowing users to setup their
336 initrc processes in as secure a method as possible.
337 STANDARD FILE CONTEXT
339 SELinux defines the file context types for the initrc, if you wanted to
341 store files with these types in a diffent paths, you need to execute
342 the semanage command to sepecify alternate labeling and then use re‐
343 storecon to put the labels on disk.
344 semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
346 restorecon -R -v /srv/myinitrc_content
347 Note: SELinux often uses regular expressions to specify labels that
349 match multiple files.
350 The following file types are defined for initrc:
352 initrc_devpts_t
356 - Set files with the initrc_devpts_t type, if you want to treat the
358 files as initrc devpts data.
359 initrc_exec_t
363 - Set files with the initrc_exec_t type, if you want to transition an
365 executable to the initrc_t domain.
366 Paths:
369 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
370 /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*,
371 /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*,
372 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
373 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-dirsrv,
374 /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
375 fig/network-scripts/ifup-ipsec, /usr/share/system-config-ser‐
376 vices/system-config-services-mechanism.py
377 initrc_state_t
380 - Set files with the initrc_state_t type, if you want to treat the
382 files as initrc state data.
383 initrc_tmp_t
387 - Set files with the initrc_tmp_t type, if you want to store initrc
389 temporary files in the /tmp directories.
390 initrc_var_log_t
394 - Set files with the initrc_var_log_t type, if you want to treat the
396 data as initrc var log data, usually stored under the /var/log direc‐
397 tory.
398 initrc_var_run_t
402 - Set files with the initrc_var_run_t type, if you want to store the
404 initrc files under the /run or /var/run directory.
405 Paths:
408 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
409 /var/run/setmixer_flag
410 Note: File context can be temporarily modified with the chcon command.
413 If you want to permanently change the file context you need to use the
414 semanage fcontext command. This will modify the SELinux labeling data‐
415 base. You will need to use restorecon to apply the labels.
416
419 semanage fcontext can also be used to manipulate default file context
420 mappings.
421 semanage permissive can also be used to manipulate whether or not a
423 process type is permissive.
424 semanage module can also be used to enable/disable/install/remove pol‐
426 icy modules.
427 semanage boolean can also be used to manipulate the booleans
429 system-config-selinux is a GUI tool available to customize SELinux pol‐
432 icy settings.
433
436 This manual page was auto-generated using sepolicy manpage .
437
440 selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepol‐
441 icy(8), setsebool(8)
442initrc 21-06-09 initrc_selinux(8)