1initrc_selinux(8)            SELinux Policy initrc           initrc_selinux(8)
2
3
4

NAME

6       initrc_selinux  -  Security  Enhanced  Linux Policy for the initrc pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  initrc  processes  via  flexible
11       mandatory access control.
12
13       The  initrc  processes  execute with the initrc_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep initrc_t
20
21
22

ENTRYPOINTS

24       The  initrc_t  SELinux  type can be entered via the tcsd_initrc_exec_t,
25       ulogd_initrc_exec_t,  ksmtuned_initrc_exec_t,   minidlna_initrc_exec_t,
26       mcelog_initrc_exec_t,   collectd_initrc_exec_t,  roundup_initrc_exec_t,
27       sslh_initrc_exec_t,     postfix_initrc_exec_t,     ciped_initrc_exec_t,
28       named_initrc_exec_t,   watchdog_initrc_exec_t,   usr_t,  minissdpd_ini‐
29       trc_exec_t,    sanlock_initrc_exec_t,    shell_exec_t,    keystone_ini‐
30       trc_exec_t,  NetworkManager_initrc_exec_t, nis_initrc_exec_t, mysqlman‐
31       agerd_initrc_exec_t,    gdomap_initrc_exec_t,    iodined_initrc_exec_t,
32       crond_initrc_exec_t, zoneminder_initrc_exec_t, ftpd_initrc_exec_t, ora‐
33       cleasm_initrc_exec_t, canna_initrc_exec_t,  zabbix_agent_initrc_exec_t,
34       ctdbd_initrc_exec_t,     portmap_initrc_exec_t,     drbd_initrc_exec_t,
35       smsd_initrc_exec_t, psad_initrc_exec_t,  gpm_initrc_exec_t,  dspam_ini‐
36       trc_exec_t,    hddtemp_initrc_exec_t,   glance_api_initrc_exec_t,   pi‐
37       ranha_pulse_initrc_exec_t,     vnstatd_initrc_exec_t,     cmirrord_ini‐
38       trc_exec_t,        cyphesis_initrc_exec_t,        polipo_initrc_exec_t,
39       smokeping_initrc_exec_t,  munin_initrc_exec_t,   neutron_initrc_exec_t,
40       setrans_initrc_exec_t,     isnsd_initrc_exec_t,    l2tpd_initrc_exec_t,
41       ipa_custodia_ra_agent_exec_t,    cobblerd_initrc_exec_t,     boinc_ini‐
42       trc_exec_t,   arpwatch_initrc_exec_t,  qpidd_initrc_exec_t,  pcscd_ini‐
43       trc_exec_t,   amtu_initrc_exec_t,   icecast_initrc_exec_t,    acct_ini‐
44       trc_exec_t,  shorewall_initrc_exec_t,  dlm_controld_initrc_exec_t, mem‐
45       cached_initrc_exec_t,   uucpd_initrc_exec_t,    ajaxterm_initrc_exec_t,
46       ntop_initrc_exec_t,     wdmd_initrc_exec_t,     ddclient_initrc_exec_t,
47       mon_statd_initrc_exec_t,  likewise_initrc_exec_t,  rhnsd_initrc_exec_t,
48       kerberos_initrc_exec_t,  abrt_initrc_exec_t, puppetagent_initrc_exec_t,
49       sblim_initrc_exec_t,    zabbix_initrc_exec_t,     pki_ra_script_exec_t,
50       mysqld_initrc_exec_t,    aiccu_initrc_exec_t,   glusterd_initrc_exec_t,
51       dovecot_initrc_exec_t, rtkit_daemon_initrc_exec_t,  rpcd_initrc_exec_t,
52       svnserve_initrc_exec_t,   spamd_initrc_exec_t,   radiusd_initrc_exec_t,
53       sssd_initrc_exec_t,  virtlogd_initrc_exec_t,  callweaver_initrc_exec_t,
54       postgrey_initrc_exec_t,   tor_initrc_exec_t,  iwhd_initrc_exec_t,  var‐
55       nishd_initrc_exec_t, cupsd_initrc_exec_t, apmd_initrc_exec_t, gpsd_ini‐
56       trc_exec_t,  cpuplug_initrc_exec_t,  dictd_initrc_exec_t,  blkmapd_ini‐
57       trc_exec_t,  cluster_initrc_exec_t,  radvd_initrc_exec_t,  apcupsd_ini‐
58       trc_exec_t,   samba_initrc_exec_t,   jabberd_initrc_exec_t,   tgtd_ini‐
59       trc_exec_t,    redis_initrc_exec_t,    nfsd_initrc_exec_t,    exim_ini‐
60       trc_exec_t,     ipa_custodia_pki_tomcat_exec_t,    nslcd_initrc_exec_t,
61       pcp_plugin_initrc_exec_t,  sendmail_initrc_exec_t,  initrc_exec_t,  sn‐
62       mpd_initrc_exec_t,    privoxy_initrc_exec_t,    fsdaemon_initrc_exec_t,
63       rngd_initrc_exec_t,     dnsmasq_initrc_exec_t,      innd_initrc_exec_t,
64       kdump_initrc_exec_t,   soundd_initrc_exec_t,   bluetooth_initrc_exec_t,
65       openhpid_initrc_exec_t, couchdb_initrc_exec_t,  cfengine_initrc_exec_t,
66       slapd_initrc_exec_t, httpd_initrc_exec_t, condor_initrc_exec_t, portre‐
67       serve_initrc_exec_t,     avahi_initrc_exec_t,     ypbind_initrc_exec_t,
68       nscd_initrc_exec_t, ricci_initrc_exec_t, irqbalance_initrc_exec_t, mon‐
69       god_initrc_exec_t,     auditd_initrc_exec_t,     sensord_initrc_exec_t,
70       vhostmd_initrc_exec_t,   entropyd_initrc_exec_t,   glance_scrubber_ini‐
71       trc_exec_t,   mscan_initrc_exec_t,    dhcpd_initrc_exec_t,    mrtg_ini‐
72       trc_exec_t,  fcoemon_initrc_exec_t,  openvpn_initrc_exec_t, naemon_ini‐
73       trc_exec_t,   rwho_initrc_exec_t,   bitlbee_initrc_exec_t,    pppd_ini‐
74       trc_exec_t,   sysstat_initrc_exec_t,   virtd_initrc_exec_t,   pads_ini‐
75       trc_exec_t,      denyhosts_initrc_exec_t,      fetchmail_initrc_exec_t,
76       snort_initrc_exec_t, postgresql_initrc_exec_t, antivirus_initrc_exec_t,
77       pkcs_slotd_initrc_exec_t, hypervkvp_initrc_exec_t, cyrus_initrc_exec_t,
78       squid_initrc_exec_t,    uuidd_initrc_exec_t,    pcp_pmcd_initrc_exec_t,
79       cvs_initrc_exec_t,    lircd_initrc_exec_t,     rhsmcertd_initrc_exec_t,
80       openct_initrc_exec_t,     rpcbind_initrc_exec_t,     afs_initrc_exec_t,
81       pcp_pmie_initrc_exec_t,  dhcpc_helper_exec_t,  automount_initrc_exec_t,
82       slpd_initrc_exec_t,   bin_t,   saslauthd_initrc_exec_t,   cgconfig_ini‐
83       trc_exec_t,  mpd_initrc_exec_t,   certmaster_initrc_exec_t,   sshd_ini‐
84       trc_exec_t,     asterisk_initrc_exec_t,     ipa_custodia_dmldap_exec_t,
85       ntpd_initrc_exec_t, fail2ban_initrc_exec_t, ccs_initrc_exec_t,  pcp_pm‐
86       logger_initrc_exec_t, vdagentd_initrc_exec_t, certmonger_initrc_exec_t,
87       varnishlog_initrc_exec_t,  chronyd_initrc_exec_t,  pingd_initrc_exec_t,
88       iptables_initrc_exec_t,   lldpad_initrc_exec_t,  syslogd_initrc_exec_t,
89       puppetmaster_initrc_exec_t, glance_registry_initrc_exec_t,  nagios_ini‐
90       trc_exec_t,          bcfg2_initrc_exec_t,          clvmd_initrc_exec_t,
91       pki_tps_script_exec_t,   rabbitmq_initrc_exec_t,   mdadm_initrc_exec_t,
92       foghorn_initrc_exec_t,  firewalld_initrc_exec_t,  bacula_initrc_exec_t,
93       prelude_initrc_exec_t, tuned_initrc_exec_t,  pcp_pmproxy_initrc_exec_t,
94       kismet_initrc_exec_t,   conntrackd_initrc_exec_t,  cgred_initrc_exec_t,
95       zebra_initrc_exec_t,   ipsec_initrc_exec_t,   osad_initrc_exec_t   file
96       types.
97
98       The default entrypoint paths for the initrc_t domain are the following:
99
100       All  executables  with  the default executable label, usually stored in
101       /usr/bin     and     /usr/sbin.       /etc/rc.d/init.d/(tcsd|trousers),
102       /etc/rc.d/init.d/ulogd,                      /etc/rc.d/init.d/ksmtuned,
103       /etc/rc.d/init.d/minidlna,                     /etc/rc.d/init.d/mcelog,
104       /etc/rc.d/init.d/collectd,                    /etc/rc.d/init.d/roundup,
105       /etc/rc.d/init.d/sslh,                        /etc/rc.d/init.d/postfix,
106       /etc/rc.d/init.d/ciped.*,  /etc/rc.d/init.d/named, /etc/rc.d/init.d/un‐
107       bound, /etc/rc.d/init.d/named-sdb, /etc/rc.d/init.d/watchdog,  /opt/.*,
108       /usr/.*,         /emul/.*,         /export(/.*)?,        /ostree(/.*)?,
109       /usr/doc(/.*)?/lib(/.*)?,   /usr/inclu.e(/.*)?,   /usr/share/rpm(/.*)?,
110       /usr/share/doc(/.*)?/README.*,           /usr/lib/modules(/.*)/vmlinuz,
111       /usr/lib/modules(/.*)/initramfs.img,           /usr/lib/sysimage(/.*)?,
112       /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul, /etc/rc.d/init.d/miniss‐
113       dpd,  /etc/rc.d/init.d/sanlock,  /bin/d?ash,  /bin/ksh.*,   /bin/zsh.*,
114       /usr/bin/d?ash,  /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh, /bin/bash,
115       /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,  /bin/yash,  /bin/bash2,
116       /usr/bin/esh,      /sbin/nologin,     /usr/bin/bash,     /usr/bin/fish,
117       /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,     /usr/bin/yash,
118       /usr/bin/bash2,   /usr/sbin/sesh,   /usr/sbin/smrsh,  /usr/bin/scponly,
119       /usr/libexec/sesh,        /usr/sbin/nologin,        /usr/bin/git-shell,
120       /usr/sbin/scponlyc,   /usr/libexec/sudo/sesh,  /usr/bin/cockpit-bridge,
121       /usr/libexec/cockpit-agent,            /usr/libexec/git-core/git-shell,
122       /etc/rc.d/init.d/openstack-keystone,           /etc/NetworkManager/dis‐
123       patcher.d(/.*)?,            /usr/lib/NetworkManager/dispatcher.d(/.*)?,
124       /etc/rc.d/init.d/wicd,                         /etc/rc.d/init.d/ypserv,
125       /etc/rc.d/init.d/ypxfrd,                     /etc/rc.d/init.d/yppasswd,
126       /etc/rc.d/init.d/mysqlmanager,                 /etc/rc.d/init.d/gdomap,
127       /etc/rc.d/init.d/((iodined)|(iodine-server)),     /etc/rc.d/init.d/atd,
128       /etc/rc.d/init.d/zoneminder,                   /etc/rc.d/init.d/vsftpd,
129       /etc/rc.d/init.d/proftpd,                   /etc/rc.d/init.d/oracleasm,
130       /etc/rc.d/init.d/canna,                 /etc/rc.d/init.d/zabbix-agentd,
131       /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/portmap, /etc/rc.d/init.d/drbd,
132       /etc/rc.d/init.d/smsd,   /etc/rc.d/init.d/psad,   /etc/rc.d/init.d/gpm,
133       /etc/rc.d/init.d/dspam,                       /etc/rc.d/init.d/hddtemp,
134       /etc/rc.d/init.d/openstack-glance-api,          /etc/rc.d/init.d/pulse,
135       /etc/rc.d/init.d/vnstat,                     /etc/rc.d/init.d/cmirrord,
136       /etc/rc.d/init.d/cyphesis,                     /etc/rc.d/init.d/polipo,
137       /etc/rc.d/init.d/smokeping,                /etc/rc.d/init.d/munin-node,
138       /etc/rc.d/init.d/neutron.*,                 /etc/rc.d/init.d/quantum.*,
139       /etc/rc.d/init.d/mcstrans,                      /etc/rc.d/init.d/isnsd,
140       /etc/rc.d/init.d/.*l2tpd,    /usr/libexec/ipa/custodia/ipa-custodia-ra-
141       agent,    /etc/rc.d/init.d/cobblerd,     /etc/rc.d/init.d/boinc-client,
142       /etc/rc.d/init.d/arpwatch, /etc/rc.d/init.d/qpidd, /etc/rc.d/init.d/pc‐
143       scd,          /etc/rc.d/init.d/amtu,          /etc/rc.d/init.d/icecast,
144       /etc/rc.d/init.d/psacct,                  /etc/rc.d/init.d/shorewall.*,
145       /etc/rc.d/init.d/memcached,                      /etc/rc.d/init.d/uucp,
146       /etc/rc.d/init.d/ajaxterm,                       /etc/rc.d/init.d/ntop,
147       /etc/rc.d/init.d/wdmd,                       /etc/rc.d/init.d/ddclient,
148       /etc/rc.d/init.d/mon_statd,                     /etc/rc.d/init.d/lwiod,
149       /etc/rc.d/init.d/lwsmd,                        /etc/rc.d/init.d/lsassd,
150       /etc/rc.d/init.d/lwregd,                      /etc/rc.d/init.d/dcerpcd,
151       /etc/rc.d/init.d/srvsvcd,                    /etc/rc.d/init.d/likewise,
152       /etc/rc.d/init.d/eventlogd,                 /etc/rc.d/init.d/netlogond,
153       /etc/rc.d/init.d/rhnsd,  /etc/rc.d/init.d/kprop,  /etc/rc.d/init.d/kad‐
154       mind,        /etc/rc.d/init.d/krb524d,        /etc/rc.d/init.d/krb5kdc,
155       /etc/rc.d/init.d/abrt, /etc/rc.d/init.d/puppet,  /etc/rc.d/init.d/gath‐
156       erer,   /etc/rc.d/init.d/sblim-sfcbd,  /etc/rc.d/init.d/(zabbix|zabbix-
157       server),        /etc/rc.d/init.d/mysqld,        /etc/rc.d/init.d/aiccu,
158       /etc/rc.d/init.d/gluster.*,  /usr/sbin/glusterd, /etc/rc.d/init.d/dove‐
159       cot,      /etc/rc.d/init.d/rtkit-daemon,      /etc/rc.d/init.d/nfslock,
160       /etc/rc.d/init.d/rpcidmapd,                  /etc/rc.d/init.d/svnserve,
161       /etc/rc.d/init.d/mimedefang.*,                  /etc/rc.d/init.d/spamd,
162       /etc/rc.d/init.d/pyzord,  /etc/rc.d/init.d/spampd, /etc/rc.d/init.d/ra‐
163       diusd,        /etc/rc.d/init.d/sssd,         /etc/rc.d/init.d/virtlogd,
164       /etc/rc.d/init.d/callweaver,                 /etc/rc.d/init.d/postgrey,
165       /etc/rc.d/init.d/tor, /etc/rc.d/init.d/iwhd,  /etc/rc.d/init.d/varnish,
166       /etc/rc.d/init.d/cups,  /etc/rc.d/init.d/acpid,  /etc/rc.d/init.d/gpsd,
167       /etc/rc.d/init.d/cpuplugd,                      /etc/rc.d/init.d/dictd,
168       /etc/rc.d/init.d/blkmapd,                     /etc/rc.d/init.d/openais,
169       /etc/rc.d/init.d/corosync,                   /etc/rc.d/init.d/cpglockd,
170       /etc/rc.d/init.d/heartbeat,                 /etc/rc.d/init.d/pacemaker,
171       /etc/rc.d/init.d/rgmanager,                     /etc/rc.d/init.d/radvd,
172       /etc/rc.d/init.d/apcupsd,  /etc/rc.d/init.d/nmb,  /etc/rc.d/init.d/smb,
173       /etc/rc.d/init.d/winbind,                     /etc/rc.d/init.d/jabberd,
174       /etc/rc.d/init.d/tgtd,   /etc/rc.d/init.d/redis,  /etc/rc.d/init.d/nfs,
175       /etc/rc.d/init.d/exim,  /usr/libexec/ipa/custodia/ipa-custodia-pki-tom‐
176       cat,         /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped,
177       /etc/rc.d/init.d/nslcd,   /etc/rc.d/init.d/sendmail,    /etc/init.d/.*,
178       /etc/rc.d/rc.[^/]+,   /etc/rc.d/init.d/.*,  /opt/nfast/sbin/init.d-nci‐
179       pher,       /usr/libexec/dcc/stop-.*,        /usr/libexec/dcc/start-.*,
180       /usr/lib/systemd/fedora[^/]*,           /opt/nfast/scripts/init.d/(.*),
181       /etc/rc.d/rc,  /etc/X11/prefdm,  /usr/sbin/startx,   /usr/bin/sepg_ctl,
182       /usr/sbin/start-dirsrv,   /usr/sbin/open_init_pty,   /usr/sbin/restart-
183       dirsrv,  /etc/sysconfig/network-scripts/ifup-ipsec,  /usr/share/system-
184       config-services/system-config-services-mechanism.py,
185       /etc/rc.d/init.d/(snmpd|snmptrapd),           /etc/rc.d/init.d/privoxy,
186       /etc/rc.d/init.d/(smartd|smartmontools),         /etc/rc.d/init.d/rngd,
187       /etc/rc.d/init.d/dnsmasq,                        /etc/rc.d/init.d/innd,
188       /etc/rc.d/init.d/kdump,  /etc/rc.d/init.d/nasd,  /etc/rc.d/init.d/dund,
189       /etc/rc.d/init.d/pand,                      /etc/rc.d/init.d/bluetooth,
190       /etc/rc.d/init.d/openhpid,                    /etc/rc.d/init.d/couchdb,
191       /etc/rc.d/init.d/((cf-serverd)|(cf-monitord)|(cf-execd)),
192       /etc/rc.d/init.d/slapd,  /etc/init.d/cherokee,  /etc/rc.d/init.d/httpd,
193       /etc/rc.d/init.d/lighttpd,                     /etc/rc.d/init.d/condor,
194       /etc/rc.d/init.d/portreserve,                 /etc/rc.d/init.d/avahi.*,
195       /etc/rc.d/init.d/ypbind, /etc/rc.d/init.d/nscd, /etc/rc.d/init.d/ricci,
196       /etc/rc.d/init.d/irqbalance,                   /etc/rc.d/init.d/mongod,
197       /etc/rc.d/init.d/mongos, /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/sen‐
198       sord,       /etc/rc.d/init.d/vhostmd,      /etc/rc.d/init.d/((audio-en‐
199       tropyd)|(haveged)),         /etc/rc.d/init.d/openstack-glance-scrubber,
200       /etc/rc.d/init.d/MailScanner,               /etc/rc.d/init.d/dhcpd(6)?,
201       /etc/rc.d/init.d/dhcrelay(6)?,                   /etc/rc.d/init.d/mrtg,
202       /etc/rc.d/init.d/fcoe,  /etc/rc.d/init.d/openvpn, /etc/rc.d/init.d/nae‐
203       mon,         /etc/rc.d/init.d/rwhod,          /etc/rc.d/init.d/bitlbee,
204       /etc/ppp/(auth|ip(v6|x)?)-(up|down),              /etc/rc.d/init.d/ppp,
205       /etc/rc.d/init.d/sysstat,                    /etc/rc.d/init.d/libvirtd,
206       /etc/rc.d/init.d/pads,                      /etc/rc.d/init.d/denyhosts,
207       /etc/rc.d/init.d/fetchmail,                    /etc/rc.d/init.d/snortd,
208       /etc/rc.d/init.d/(se)?postgresql,             /etc/rc.d/init.d/clamd.*,
209       /etc/rc.d/init.d/amavis,                 /etc/rc.d/init.d/amavisd-snmp,
210       /etc/rc.d/init.d/pkcsslotd,                /etc/rc.d/init.d/hypervkvpd,
211       /etc/rc.d/init.d/cyrus.*,                       /etc/rc.d/init.d/squid,
212       /etc/rc.d/init.d/uuidd,                          /etc/rc.d/init.d/pmcd,
213       /usr/libexec/pcp/lib/pmcd, /etc/rc.d/init.d/cvs, /etc/rc.d/init.d/lirc,
214       /etc/rc.d/init.d/rhsmcertd,                    /etc/rc.d/init.d/openct,
215       /etc/rc.d/init.d/rpcbind,                  /etc/rc.d/init.d/(open)?afs,
216       /etc/rc.d/init.d/openafs-client,                 /etc/rc.d/init.d/pmie,
217       /usr/libexec/pcp/lib/pmie,             /etc/firestarter/firestarter.sh,
218       /etc/rc.d/init.d/autofs,  /etc/rc.d/init.d/slpd, /etc/rc.d/init.d/sasl,
219       /etc/rc.d/init.d/cgconfig, /etc/rc.d/init.d/mpd, /etc/rc.d/init.d/cert‐
220       master,        /etc/rc.d/init.d/sshd,        /etc/rc.d/init.d/asterisk,
221       /usr/libexec/ipa/custodia/ipa-custodia-dmldap,   /etc/rc.d/init.d/ntpd,
222       /etc/rc.d/init.d/fail2ban,             /etc/rc.d/init.d/((ccs)|(ccsd)),
223       /etc/rc.d/init.d/pmlogger,               /usr/libexec/pcp/lib/pmlogger,
224       /etc/rc.d/init.d/spice-vdagentd,           /etc/rc.d/init.d/certmonger,
225       /etc/rc.d/init.d/varnishlog,              /etc/rc.d/init.d/varnishncsa,
226       /etc/rc.d/init.d/chronyd,               /etc/rc.d/init.d/whatsup-pingd,
227       /etc/rc.d/init.d/ip6?tables,                 /etc/rc.d/init.d/ebtables,
228       /etc/rc.d/init.d/nftables,                     /etc/rc.d/init.d/lldpad,
229       /etc/rc.d/init.d/rsyslog,                /etc/rc.d/init.d/puppetmaster,
230       /etc/rc.d/init.d/openstack-glance-registry,      /etc/rc.d/init.d/nrpe,
231       /etc/rc.d/init.d/nagios,                 /etc/rc.d/init.d/bcfg2-server,
232       /etc/rc.d/init.d/rabbitmq-server,           /etc/rc.d/init.d/mdmonitor,
233       /etc/rc.d/init.d/firewalld,                  /etc/rc.d/init.d/bacula.*,
234       /etc/rc.d/init.d/prelude-lml,         /etc/rc.d/init.d/prelude-manager,
235       /etc/rc.d/init.d/prelude-correlator,            /etc/rc.d/init.d/tuned,
236       /etc/rc.d/init.d/pmproxy,                 /usr/libexec/pcp/lib/pmproxy,
237       /etc/rc.d/init.d/kismet.*,                      /etc/rc.d/init.d/cgred,
238       /etc/rc.d/init.d/bgpd,  /etc/rc.d/init.d/ripd,  /etc/rc.d/init.d/isisd,
239       /etc/rc.d/init.d/ospfd,  /etc/rc.d/init.d/zebra,   /etc/rc.d/init.d/ba‐
240       beld,         /etc/rc.d/init.d/ospf6d,         /etc/rc.d/init.d/ripngd,
241       /etc/rc.d/init.d/ipsec,                        /etc/rc.d/init.d/racoon,
242       /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/osad
243

PROCESS TYPES

245       SELinux defines process types (domains) for each process running on the
246       system
247
248       You can see the context of a process using the -Z option to ps
249
250       Policy governs the access confined processes have  to  files.   SELinux
251       initrc  policy  is  very  flexible allowing users to setup their initrc
252       processes in as secure a method as possible.
253
254       The following process types are defined for initrc:
255
256       initrc_t
257
258       Note: semanage permissive -a initrc_t can be used to make  the  process
259       type  initrc_t  permissive.  SELinux does not deny access to permissive
260       process types, but the AVC (SELinux denials) messages are still  gener‐
261       ated.
262
263

BOOLEANS

265       SELinux  policy is customizable based on least access required.  initrc
266       policy is extremely flexible and has several booleans that allow you to
267       manipulate the policy and run initrc with the tightest access possible.
268
269
270
271       If you want to deny user domains applications to map a memory region as
272       both executable and writable, this  is  dangerous  and  the  executable
273       should be reported in bugzilla, you must turn on the deny_execmem bool‐
274       ean. Enabled by default.
275
276       setsebool -P deny_execmem 1
277
278
279
280       If you want to control the ability to mmap a low area  of  the  address
281       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
282       the mmap_low_allowed boolean. Disabled by default.
283
284       setsebool -P mmap_low_allowed 1
285
286
287
288       If you want to disable kernel module loading, you must turn on the  se‐
289       cure_mode_insmod boolean. Enabled by default.
290
291       setsebool -P secure_mode_insmod 1
292
293
294
295       If  you  want to allow unconfined executables to make their heap memory
296       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
297       badly  coded  executable, but could indicate an attack. This executable
298       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
299       echeap boolean. Disabled by default.
300
301       setsebool -P selinuxuser_execheap 1
302
303
304
305       If  you  want  to allow unconfined executables to make their stack exe‐
306       cutable.  This should never, ever be necessary.  Probably  indicates  a
307       badly  coded  executable, but could indicate an attack. This executable
308       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
309       stack boolean. Enabled by default.
310
311       setsebool -P selinuxuser_execstack 1
312
313
314

MANAGED FILES

316       The  SELinux  process  type  initrc_t can manage files labeled with the
317       following file types.  The paths listed are the default paths for these
318       file types.  Note the processes UID still need to have DAC permissions.
319
320       file_type
321
322            all files on the system
323
324

FILE CONTEXTS

326       SELinux requires files to have an extended attribute to define the file
327       type.
328
329       You can see the context of a file using the -Z option to ls
330
331       Policy governs the access  confined  processes  have  to  these  files.
332       SELinux  initrc  policy  is very flexible allowing users to setup their
333       initrc processes in as secure a method as possible.
334
335       STANDARD FILE CONTEXT
336
337       SELinux defines the file context types for the initrc, if you wanted to
338       store  files  with  these types in a diffent paths, you need to execute
339       the semanage command to specify alternate labeling  and  then  use  re‐
340       storecon to put the labels on disk.
341
342       semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
343       restorecon -R -v /srv/myinitrc_content
344
345       Note:  SELinux  often  uses  regular expressions to specify labels that
346       match multiple files.
347
348       The following file types are defined for initrc:
349
350
351
352       initrc_devpts_t
353
354       - Set files with the initrc_devpts_t type, if you  want  to  treat  the
355       files as initrc devpts data.
356
357
358
359       initrc_exec_t
360
361       -  Set  files with the initrc_exec_t type, if you want to transition an
362       executable to the initrc_t domain.
363
364
365       Paths:
366            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
367            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
368            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
369            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
370            /usr/sbin/startx,    /usr/bin/sepg_ctl,    /usr/sbin/start-dirsrv,
371            /usr/sbin/open_init_pty,   /usr/sbin/restart-dirsrv,  /etc/syscon‐
372            fig/network-scripts/ifup-ipsec,      /usr/share/system-config-ser‐
373            vices/system-config-services-mechanism.py
374
375
376       initrc_state_t
377
378       -  Set  files  with  the  initrc_state_t type, if you want to treat the
379       files as initrc state data.
380
381
382
383       initrc_tmp_t
384
385       - Set files with the initrc_tmp_t type, if you  want  to  store  initrc
386       temporary files in the /tmp directories.
387
388
389
390       initrc_var_log_t
391
392       -  Set  files  with the initrc_var_log_t type, if you want to treat the
393       data as initrc var log data, usually stored under the  /var/log  direc‐
394       tory.
395
396
397
398       initrc_var_run_t
399
400       -  Set  files  with the initrc_var_run_t type, if you want to store the
401       initrc files under the /run or /var/run directory.
402
403
404       Paths:
405            /var/run/utmp,    /var/run/random-seed,     /var/run/runlevel.dir,
406            /var/run/setmixer_flag
407
408
409       Note:  File context can be temporarily modified with the chcon command.
410       If you want to permanently change the file context you need to use  the
411       semanage fcontext command.  This will modify the SELinux labeling data‐
412       base.  You will need to use restorecon to apply the labels.
413
414

COMMANDS

416       semanage fcontext can also be used to manipulate default  file  context
417       mappings.
418
419       semanage  permissive  can  also  be used to manipulate whether or not a
420       process type is permissive.
421
422       semanage module can also be used to enable/disable/install/remove  pol‐
423       icy modules.
424
425       semanage boolean can also be used to manipulate the booleans
426
427
428       system-config-selinux is a GUI tool available to customize SELinux pol‐
429       icy settings.
430
431

AUTHOR

433       This manual page was auto-generated using sepolicy manpage .
434
435

SEE ALSO

437       selinux(8), initrc(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
438       icy(8), setsebool(8)
439
440
441
442initrc                             21-11-19                  initrc_selinux(8)
Impressum