1initrc_selinux(8) SELinux Policy initrc initrc_selinux(8)
2
6 initrc_selinux - Security Enhanced Linux Policy for the initrc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the initrc processes via flexible
11 mandatory access control.
12 The initrc processes execute with the initrc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep initrc_t
20
24 The initrc_t SELinux type can be entered via the tcsd_initrc_exec_t,
25 ulogd_initrc_exec_t, ksmtuned_initrc_exec_t, minidlna_initrc_exec_t,
26 mcelog_initrc_exec_t, collectd_initrc_exec_t, roundup_initrc_exec_t,
27 sslh_initrc_exec_t, postfix_initrc_exec_t, ciped_initrc_exec_t,
28 named_initrc_exec_t, watchdog_initrc_exec_t, usr_t, minissdpd_ini‐
29 trc_exec_t, sanlock_initrc_exec_t, shell_exec_t, keystone_ini‐
30 trc_exec_t, NetworkManager_initrc_exec_t, nis_initrc_exec_t, mysqlman‐
31 agerd_initrc_exec_t, gdomap_initrc_exec_t, iodined_initrc_exec_t,
32 crond_initrc_exec_t, zoneminder_initrc_exec_t, ftpd_initrc_exec_t, ora‐
33 cleasm_initrc_exec_t, canna_initrc_exec_t, zabbix_agent_initrc_exec_t,
34 ctdbd_initrc_exec_t, portmap_initrc_exec_t, drbd_initrc_exec_t,
35 smsd_initrc_exec_t, psad_initrc_exec_t, gpm_initrc_exec_t, dspam_ini‐
36 trc_exec_t, hddtemp_initrc_exec_t, glance_api_initrc_exec_t, pi‐
37 ranha_pulse_initrc_exec_t, vnstatd_initrc_exec_t, cmirrord_ini‐
38 trc_exec_t, cyphesis_initrc_exec_t, polipo_initrc_exec_t,
39 smokeping_initrc_exec_t, munin_initrc_exec_t, neutron_initrc_exec_t,
40 setrans_initrc_exec_t, isnsd_initrc_exec_t, l2tpd_initrc_exec_t,
41 ipa_custodia_ra_agent_exec_t, cobblerd_initrc_exec_t, boinc_ini‐
42 trc_exec_t, arpwatch_initrc_exec_t, qpidd_initrc_exec_t, pcscd_ini‐
43 trc_exec_t, amtu_initrc_exec_t, icecast_initrc_exec_t, acct_ini‐
44 trc_exec_t, shorewall_initrc_exec_t, dlm_controld_initrc_exec_t, mem‐
45 cached_initrc_exec_t, uucpd_initrc_exec_t, ajaxterm_initrc_exec_t,
46 ntop_initrc_exec_t, wdmd_initrc_exec_t, ddclient_initrc_exec_t,
47 mon_statd_initrc_exec_t, likewise_initrc_exec_t, rhnsd_initrc_exec_t,
48 kerberos_initrc_exec_t, abrt_initrc_exec_t, puppetagent_initrc_exec_t,
49 sblim_initrc_exec_t, zabbix_initrc_exec_t, pki_ra_script_exec_t,
50 mysqld_initrc_exec_t, aiccu_initrc_exec_t, glusterd_initrc_exec_t,
51 dovecot_initrc_exec_t, rtkit_daemon_initrc_exec_t, rpcd_initrc_exec_t,
52 svnserve_initrc_exec_t, spamd_initrc_exec_t, radiusd_initrc_exec_t,
53 sssd_initrc_exec_t, virtlogd_initrc_exec_t, callweaver_initrc_exec_t,
54 postgrey_initrc_exec_t, tor_initrc_exec_t, iwhd_initrc_exec_t, var‐
55 nishd_initrc_exec_t, cupsd_initrc_exec_t, apmd_initrc_exec_t, gpsd_ini‐
56 trc_exec_t, cpuplug_initrc_exec_t, dictd_initrc_exec_t, blkmapd_ini‐
57 trc_exec_t, cluster_initrc_exec_t, radvd_initrc_exec_t, apcupsd_ini‐
58 trc_exec_t, samba_initrc_exec_t, jabberd_initrc_exec_t, tgtd_ini‐
59 trc_exec_t, redis_initrc_exec_t, nfsd_initrc_exec_t, exim_ini‐
60 trc_exec_t, ipa_custodia_pki_tomcat_exec_t, nslcd_initrc_exec_t,
61 pcp_plugin_initrc_exec_t, sendmail_initrc_exec_t, initrc_exec_t, sn‐
62 mpd_initrc_exec_t, privoxy_initrc_exec_t, fsdaemon_initrc_exec_t,
63 rngd_initrc_exec_t, dnsmasq_initrc_exec_t, innd_initrc_exec_t,
64 kdump_initrc_exec_t, soundd_initrc_exec_t, bluetooth_initrc_exec_t,
65 openhpid_initrc_exec_t, couchdb_initrc_exec_t, cfengine_initrc_exec_t,
66 slapd_initrc_exec_t, httpd_initrc_exec_t, condor_initrc_exec_t, portre‐
67 serve_initrc_exec_t, avahi_initrc_exec_t, ypbind_initrc_exec_t,
68 nscd_initrc_exec_t, ricci_initrc_exec_t, irqbalance_initrc_exec_t, mon‐
69 god_initrc_exec_t, auditd_initrc_exec_t, sensord_initrc_exec_t,
70 vhostmd_initrc_exec_t, entropyd_initrc_exec_t, glance_scrubber_ini‐
71 trc_exec_t, mscan_initrc_exec_t, dhcpd_initrc_exec_t, mrtg_ini‐
72 trc_exec_t, fcoemon_initrc_exec_t, openvpn_initrc_exec_t, naemon_ini‐
73 trc_exec_t, rwho_initrc_exec_t, bitlbee_initrc_exec_t, pppd_ini‐
74 trc_exec_t, sysstat_initrc_exec_t, virtd_initrc_exec_t, pads_ini‐
75 trc_exec_t, denyhosts_initrc_exec_t, fetchmail_initrc_exec_t,
76 snort_initrc_exec_t, postgresql_initrc_exec_t, antivirus_initrc_exec_t,
77 pkcs_slotd_initrc_exec_t, hypervkvp_initrc_exec_t, cyrus_initrc_exec_t,
78 squid_initrc_exec_t, uuidd_initrc_exec_t, pcp_pmcd_initrc_exec_t,
79 cvs_initrc_exec_t, lircd_initrc_exec_t, rhsmcertd_initrc_exec_t,
80 openct_initrc_exec_t, rpcbind_initrc_exec_t, afs_initrc_exec_t,
81 pcp_pmie_initrc_exec_t, dhcpc_helper_exec_t, automount_initrc_exec_t,
82 slpd_initrc_exec_t, bin_t, saslauthd_initrc_exec_t, cgconfig_ini‐
83 trc_exec_t, mpd_initrc_exec_t, certmaster_initrc_exec_t, sshd_ini‐
84 trc_exec_t, asterisk_initrc_exec_t, ipa_custodia_dmldap_exec_t,
85 ntpd_initrc_exec_t, fail2ban_initrc_exec_t, ccs_initrc_exec_t, pcp_pm‐
86 logger_initrc_exec_t, vdagentd_initrc_exec_t, certmonger_initrc_exec_t,
87 varnishlog_initrc_exec_t, chronyd_initrc_exec_t, pingd_initrc_exec_t,
88 iptables_initrc_exec_t, lldpad_initrc_exec_t, syslogd_initrc_exec_t,
89 puppetmaster_initrc_exec_t, glance_registry_initrc_exec_t, nagios_ini‐
90 trc_exec_t, bcfg2_initrc_exec_t, clvmd_initrc_exec_t,
91 pki_tps_script_exec_t, rabbitmq_initrc_exec_t, mdadm_initrc_exec_t,
92 foghorn_initrc_exec_t, firewalld_initrc_exec_t, bacula_initrc_exec_t,
93 prelude_initrc_exec_t, tuned_initrc_exec_t, pcp_pmproxy_initrc_exec_t,
94 kismet_initrc_exec_t, conntrackd_initrc_exec_t, cgred_initrc_exec_t,
95 zebra_initrc_exec_t, ipsec_initrc_exec_t, osad_initrc_exec_t file
96 types.
97 The default entrypoint paths for the initrc_t domain are the following:
99 All executables with the default executable label, usually stored in
101 /usr/bin and /usr/sbin. /etc/rc.d/init.d/(tcsd|trousers),
102 /etc/rc.d/init.d/ulogd, /etc/rc.d/init.d/ksmtuned,
103 /etc/rc.d/init.d/minidlna, /etc/rc.d/init.d/mcelog,
104 /etc/rc.d/init.d/collectd, /etc/rc.d/init.d/roundup,
105 /etc/rc.d/init.d/sslh, /etc/rc.d/init.d/postfix,
106 /etc/rc.d/init.d/ciped.*, /etc/rc.d/init.d/named, /etc/rc.d/init.d/un‐
107 bound, /etc/rc.d/init.d/named-sdb, /etc/rc.d/init.d/watchdog, /opt/.*,
108 /usr/.*, /emul/.*, /export(/.*)?, /ostree(/.*)?,
109 /usr/doc(/.*)?/lib(/.*)?, /usr/inclu.e(/.*)?, /usr/share/rpm(/.*)?,
110 /usr/share/doc(/.*)?/README.*, /usr/lib/modules(/.*)/vmlinuz,
111 /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysimage(/.*)?,
112 /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul, /etc/rc.d/init.d/miniss‐
113 dpd, /etc/rc.d/init.d/sanlock, /bin/d?ash, /bin/ksh.*, /bin/zsh.*,
114 /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/bash,
115 /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash2,
116 /usr/bin/esh, /sbin/nologin, /usr/bin/bash, /usr/bin/fish,
117 /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
118 /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
119 /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-shell,
120 /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
121 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell,
122 /etc/rc.d/init.d/openstack-keystone, /etc/NetworkManager/dis‐
123 patcher.d(/.*)?, /usr/lib/NetworkManager/dispatcher.d(/.*)?,
124 /etc/rc.d/init.d/wicd, /etc/rc.d/init.d/ypserv,
125 /etc/rc.d/init.d/ypxfrd, /etc/rc.d/init.d/yppasswd,
126 /etc/rc.d/init.d/mysqlmanager, /etc/rc.d/init.d/gdomap,
127 /etc/rc.d/init.d/((iodined)|(iodine-server)), /etc/rc.d/init.d/atd,
128 /etc/rc.d/init.d/zoneminder, /etc/rc.d/init.d/vsftpd,
129 /etc/rc.d/init.d/proftpd, /etc/rc.d/init.d/oracleasm,
130 /etc/rc.d/init.d/canna, /etc/rc.d/init.d/zabbix-agentd,
131 /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/portmap, /etc/rc.d/init.d/drbd,
132 /etc/rc.d/init.d/smsd, /etc/rc.d/init.d/psad, /etc/rc.d/init.d/gpm,
133 /etc/rc.d/init.d/dspam, /etc/rc.d/init.d/hddtemp,
134 /etc/rc.d/init.d/openstack-glance-api, /etc/rc.d/init.d/pulse,
135 /etc/rc.d/init.d/vnstat, /etc/rc.d/init.d/cmirrord,
136 /etc/rc.d/init.d/cyphesis, /etc/rc.d/init.d/polipo,
137 /etc/rc.d/init.d/smokeping, /etc/rc.d/init.d/munin-node,
138 /etc/rc.d/init.d/neutron.*, /etc/rc.d/init.d/quantum.*,
139 /etc/rc.d/init.d/mcstrans, /etc/rc.d/init.d/isnsd,
140 /etc/rc.d/init.d/.*l2tpd, /usr/libexec/ipa/custodia/ipa-custodia-ra-
141 agent, /etc/rc.d/init.d/cobblerd, /etc/rc.d/init.d/boinc-client,
142 /etc/rc.d/init.d/arpwatch, /etc/rc.d/init.d/qpidd, /etc/rc.d/init.d/pc‐
143 scd, /etc/rc.d/init.d/amtu, /etc/rc.d/init.d/icecast,
144 /etc/rc.d/init.d/psacct, /etc/rc.d/init.d/shorewall.*,
145 /etc/rc.d/init.d/memcached, /etc/rc.d/init.d/uucp,
146 /etc/rc.d/init.d/ajaxterm, /etc/rc.d/init.d/ntop,
147 /etc/rc.d/init.d/wdmd, /etc/rc.d/init.d/ddclient,
148 /etc/rc.d/init.d/mon_statd, /etc/rc.d/init.d/lwiod,
149 /etc/rc.d/init.d/lwsmd, /etc/rc.d/init.d/lsassd,
150 /etc/rc.d/init.d/lwregd, /etc/rc.d/init.d/dcerpcd,
151 /etc/rc.d/init.d/srvsvcd, /etc/rc.d/init.d/likewise,
152 /etc/rc.d/init.d/eventlogd, /etc/rc.d/init.d/netlogond,
153 /etc/rc.d/init.d/rhnsd, /etc/rc.d/init.d/kprop, /etc/rc.d/init.d/kad‐
154 mind, /etc/rc.d/init.d/krb524d, /etc/rc.d/init.d/krb5kdc,
155 /etc/rc.d/init.d/abrt, /etc/rc.d/init.d/puppet, /etc/rc.d/init.d/gath‐
156 erer, /etc/rc.d/init.d/sblim-sfcbd, /etc/rc.d/init.d/(zabbix|zabbix-
157 server), /etc/rc.d/init.d/mysqld, /etc/rc.d/init.d/aiccu,
158 /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd, /etc/rc.d/init.d/dove‐
159 cot, /etc/rc.d/init.d/rtkit-daemon, /etc/rc.d/init.d/nfslock,
160 /etc/rc.d/init.d/rpcidmapd, /etc/rc.d/init.d/svnserve,
161 /etc/rc.d/init.d/mimedefang.*, /etc/rc.d/init.d/spamd,
162 /etc/rc.d/init.d/pyzord, /etc/rc.d/init.d/spampd, /etc/rc.d/init.d/ra‐
163 diusd, /etc/rc.d/init.d/sssd, /etc/rc.d/init.d/virtlogd,
164 /etc/rc.d/init.d/callweaver, /etc/rc.d/init.d/postgrey,
165 /etc/rc.d/init.d/tor, /etc/rc.d/init.d/iwhd, /etc/rc.d/init.d/varnish,
166 /etc/rc.d/init.d/cups, /etc/rc.d/init.d/acpid, /etc/rc.d/init.d/gpsd,
167 /etc/rc.d/init.d/cpuplugd, /etc/rc.d/init.d/dictd,
168 /etc/rc.d/init.d/blkmapd, /etc/rc.d/init.d/openais,
169 /etc/rc.d/init.d/corosync, /etc/rc.d/init.d/cpglockd,
170 /etc/rc.d/init.d/heartbeat, /etc/rc.d/init.d/pacemaker,
171 /etc/rc.d/init.d/rgmanager, /etc/rc.d/init.d/radvd,
172 /etc/rc.d/init.d/apcupsd, /etc/rc.d/init.d/nmb, /etc/rc.d/init.d/smb,
173 /etc/rc.d/init.d/winbind, /etc/rc.d/init.d/jabberd,
174 /etc/rc.d/init.d/tgtd, /etc/rc.d/init.d/redis, /etc/rc.d/init.d/nfs,
175 /etc/rc.d/init.d/exim, /usr/libexec/ipa/custodia/ipa-custodia-pki-tom‐
176 cat, /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped,
177 /etc/rc.d/init.d/nslcd, /etc/rc.d/init.d/sendmail, /etc/init.d/.*,
178 /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*, /opt/nfast/sbin/init.d-nci‐
179 pher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*,
180 /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*),
181 /etc/rc.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl,
182 /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-
183 dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-
184 config-services/system-config-services-mechanism.py,
185 /etc/rc.d/init.d/(snmpd|snmptrapd), /etc/rc.d/init.d/privoxy,
186 /etc/rc.d/init.d/(smartd|smartmontools), /etc/rc.d/init.d/rngd,
187 /etc/rc.d/init.d/dnsmasq, /etc/rc.d/init.d/innd,
188 /etc/rc.d/init.d/kdump, /etc/rc.d/init.d/nasd, /etc/rc.d/init.d/dund,
189 /etc/rc.d/init.d/pand, /etc/rc.d/init.d/bluetooth,
190 /etc/rc.d/init.d/openhpid, /etc/rc.d/init.d/couchdb,
191 /etc/rc.d/init.d/((cf-serverd)|(cf-monitord)|(cf-execd)),
192 /etc/rc.d/init.d/slapd, /etc/init.d/cherokee, /etc/rc.d/init.d/httpd,
193 /etc/rc.d/init.d/lighttpd, /etc/rc.d/init.d/condor,
194 /etc/rc.d/init.d/portreserve, /etc/rc.d/init.d/avahi.*,
195 /etc/rc.d/init.d/ypbind, /etc/rc.d/init.d/nscd, /etc/rc.d/init.d/ricci,
196 /etc/rc.d/init.d/irqbalance, /etc/rc.d/init.d/mongod,
197 /etc/rc.d/init.d/mongos, /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/sen‐
198 sord, /etc/rc.d/init.d/vhostmd, /etc/rc.d/init.d/((audio-en‐
199 tropyd)|(haveged)), /etc/rc.d/init.d/openstack-glance-scrubber,
200 /etc/rc.d/init.d/MailScanner, /etc/rc.d/init.d/dhcpd(6)?,
201 /etc/rc.d/init.d/dhcrelay(6)?, /etc/rc.d/init.d/mrtg,
202 /etc/rc.d/init.d/fcoe, /etc/rc.d/init.d/openvpn, /etc/rc.d/init.d/nae‐
203 mon, /etc/rc.d/init.d/rwhod, /etc/rc.d/init.d/bitlbee,
204 /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc.d/init.d/ppp,
205 /etc/rc.d/init.d/sysstat, /etc/rc.d/init.d/libvirtd,
206 /etc/rc.d/init.d/pads, /etc/rc.d/init.d/denyhosts,
207 /etc/rc.d/init.d/fetchmail, /etc/rc.d/init.d/snortd,
208 /etc/rc.d/init.d/(se)?postgresql, /etc/rc.d/init.d/clamd.*,
209 /etc/rc.d/init.d/amavis, /etc/rc.d/init.d/amavisd-snmp,
210 /etc/rc.d/init.d/pkcsslotd, /etc/rc.d/init.d/hypervkvpd,
211 /etc/rc.d/init.d/cyrus.*, /etc/rc.d/init.d/squid,
212 /etc/rc.d/init.d/uuidd, /etc/rc.d/init.d/pmcd,
213 /usr/libexec/pcp/lib/pmcd, /etc/rc.d/init.d/cvs, /etc/rc.d/init.d/lirc,
214 /etc/rc.d/init.d/rhsmcertd, /etc/rc.d/init.d/openct,
215 /etc/rc.d/init.d/rpcbind, /etc/rc.d/init.d/(open)?afs,
216 /etc/rc.d/init.d/openafs-client, /etc/rc.d/init.d/pmie,
217 /usr/libexec/pcp/lib/pmie, /etc/firestarter/firestarter.sh,
218 /etc/rc.d/init.d/autofs, /etc/rc.d/init.d/slpd, /etc/rc.d/init.d/sasl,
219 /etc/rc.d/init.d/cgconfig, /etc/rc.d/init.d/mpd, /etc/rc.d/init.d/cert‐
220 master, /etc/rc.d/init.d/sshd, /etc/rc.d/init.d/asterisk,
221 /usr/libexec/ipa/custodia/ipa-custodia-dmldap, /etc/rc.d/init.d/ntpd,
222 /etc/rc.d/init.d/fail2ban, /etc/rc.d/init.d/((ccs)|(ccsd)),
223 /etc/rc.d/init.d/pmlogger, /usr/libexec/pcp/lib/pmlogger,
224 /etc/rc.d/init.d/spice-vdagentd, /etc/rc.d/init.d/certmonger,
225 /etc/rc.d/init.d/varnishlog, /etc/rc.d/init.d/varnishncsa,
226 /etc/rc.d/init.d/chronyd, /etc/rc.d/init.d/whatsup-pingd,
227 /etc/rc.d/init.d/ip6?tables, /etc/rc.d/init.d/ebtables,
228 /etc/rc.d/init.d/nftables, /etc/rc.d/init.d/lldpad,
229 /etc/rc.d/init.d/rsyslog, /etc/rc.d/init.d/puppetmaster,
230 /etc/rc.d/init.d/openstack-glance-registry, /etc/rc.d/init.d/nrpe,
231 /etc/rc.d/init.d/nagios, /etc/rc.d/init.d/bcfg2-server,
232 /etc/rc.d/init.d/rabbitmq-server, /etc/rc.d/init.d/mdmonitor,
233 /etc/rc.d/init.d/firewalld, /etc/rc.d/init.d/bacula.*,
234 /etc/rc.d/init.d/prelude-lml, /etc/rc.d/init.d/prelude-manager,
235 /etc/rc.d/init.d/prelude-correlator, /etc/rc.d/init.d/tuned,
236 /etc/rc.d/init.d/pmproxy, /usr/libexec/pcp/lib/pmproxy,
237 /etc/rc.d/init.d/kismet.*, /etc/rc.d/init.d/cgred,
238 /etc/rc.d/init.d/bgpd, /etc/rc.d/init.d/ripd, /etc/rc.d/init.d/isisd,
239 /etc/rc.d/init.d/ospfd, /etc/rc.d/init.d/zebra, /etc/rc.d/init.d/ba‐
240 beld, /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/ripngd,
241 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
242 /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/osad
243
245 SELinux defines process types (domains) for each process running on the
246 system
247 You can see the context of a process using the -Z option to ps
249 Policy governs the access confined processes have to files. SELinux
251 initrc policy is very flexible allowing users to setup their initrc
252 processes in as secure a method as possible.
253 The following process types are defined for initrc:
255 initrc_t
257 Note: semanage permissive -a initrc_t can be used to make the process
259 type initrc_t permissive. SELinux does not deny access to permissive
260 process types, but the AVC (SELinux denials) messages are still gener‐
261 ated.
262
265 SELinux policy is customizable based on least access required. initrc
266 policy is extremely flexible and has several booleans that allow you to
267 manipulate the policy and run initrc with the tightest access possible.
268 If you want to deny user domains applications to map a memory region as
272 both executable and writable, this is dangerous and the executable
273 should be reported in bugzilla, you must turn on the deny_execmem bool‐
274 ean. Enabled by default.
275 setsebool -P deny_execmem 1
277 If you want to control the ability to mmap a low area of the address
281 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
282 the mmap_low_allowed boolean. Disabled by default.
283 setsebool -P mmap_low_allowed 1
285 If you want to disable kernel module loading, you must turn on the se‐
289 cure_mode_insmod boolean. Enabled by default.
290 setsebool -P secure_mode_insmod 1
292 If you want to allow unconfined executables to make their heap memory
296 executable. Doing this is a really bad idea. Probably indicates a
297 badly coded executable, but could indicate an attack. This executable
298 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
299 echeap boolean. Disabled by default.
300 setsebool -P selinuxuser_execheap 1
302 If you want to allow unconfined executables to make their stack exe‐
306 cutable. This should never, ever be necessary. Probably indicates a
307 badly coded executable, but could indicate an attack. This executable
308 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
309 stack boolean. Enabled by default.
310 setsebool -P selinuxuser_execstack 1
312
316 The SELinux process type initrc_t can manage files labeled with the
317 following file types. The paths listed are the default paths for these
318 file types. Note the processes UID still need to have DAC permissions.
319 file_type
321 all files on the system
323
326 SELinux requires files to have an extended attribute to define the file
327 type.
328 You can see the context of a file using the -Z option to ls
330 Policy governs the access confined processes have to these files.
332 SELinux initrc policy is very flexible allowing users to setup their
333 initrc processes in as secure a method as possible.
334 STANDARD FILE CONTEXT
336 SELinux defines the file context types for the initrc, if you wanted to
338 store files with these types in a diffent paths, you need to execute
339 the semanage command to specify alternate labeling and then use re‐
340 storecon to put the labels on disk.
341 semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
343 restorecon -R -v /srv/myinitrc_content
344 Note: SELinux often uses regular expressions to specify labels that
346 match multiple files.
347 The following file types are defined for initrc:
349 initrc_devpts_t
353 - Set files with the initrc_devpts_t type, if you want to treat the
355 files as initrc devpts data.
356 initrc_exec_t
360 - Set files with the initrc_exec_t type, if you want to transition an
362 executable to the initrc_t domain.
363 Paths:
366 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
367 /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*,
368 /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*,
369 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
370 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-dirsrv,
371 /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
372 fig/network-scripts/ifup-ipsec, /usr/share/system-config-ser‐
373 vices/system-config-services-mechanism.py
374 initrc_state_t
377 - Set files with the initrc_state_t type, if you want to treat the
379 files as initrc state data.
380 initrc_tmp_t
384 - Set files with the initrc_tmp_t type, if you want to store initrc
386 temporary files in the /tmp directories.
387 initrc_var_log_t
391 - Set files with the initrc_var_log_t type, if you want to treat the
393 data as initrc var log data, usually stored under the /var/log direc‐
394 tory.
395 initrc_var_run_t
399 - Set files with the initrc_var_run_t type, if you want to store the
401 initrc files under the /run or /var/run directory.
402 Paths:
405 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
406 /var/run/setmixer_flag
407 Note: File context can be temporarily modified with the chcon command.
410 If you want to permanently change the file context you need to use the
411 semanage fcontext command. This will modify the SELinux labeling data‐
412 base. You will need to use restorecon to apply the labels.
413
416 semanage fcontext can also be used to manipulate default file context
417 mappings.
418 semanage permissive can also be used to manipulate whether or not a
420 process type is permissive.
421 semanage module can also be used to enable/disable/install/remove pol‐
423 icy modules.
424 semanage boolean can also be used to manipulate the booleans
426 system-config-selinux is a GUI tool available to customize SELinux pol‐
429 icy settings.
430
433 This manual page was auto-generated using sepolicy manpage .
434
437 selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepol‐
438 icy(8), setsebool(8)
439initrc 21-11-19 initrc_selinux(8)