initrc_selinux(8)

1initrc_selinux(8)            SELinux Policy initrc           initrc_selinux(8)
2
3
4

NAME

6       initrc_selinux  -  Security  Enhanced  Linux Policy for the initrc pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  initrc  processes  via  flexible
11       mandatory access control.
12
13       The  initrc  processes  execute with the initrc_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep initrc_t
20
21
22

ENTRYPOINTS

24       The   initrc_t   SELinux   type  can  be  entered  via  the  ipa_custo‐
25       dia_ra_agent_exec_t,   zabbix_agent_initrc_exec_t,    ipa_custodia_dml‐
26       dap_exec_t,   dspam_initrc_exec_t,  snmpd_initrc_exec_t,  cgconfig_ini‐
27       trc_exec_t,  slpd_initrc_exec_t,  arpwatch_initrc_exec_t,   auditd_ini‐
28       trc_exec_t,  ftpd_initrc_exec_t,  kerberos_initrc_exec_t, collectd_ini‐
29       trc_exec_t,  sslh_initrc_exec_t,  postgresql_initrc_exec_t,   ntop_ini‐
30       trc_exec_t,   memcached_initrc_exec_t,  rngd_initrc_exec_t,  cupsd_ini‐
31       trc_exec_t,  syslogd_initrc_exec_t,   redis_initrc_exec_t,   mscan_ini‐
32       trc_exec_t,    tor_initrc_exec_t,    afs_initrc_exec_t,    iodined_ini‐
33       trc_exec_t,   cgred_initrc_exec_t,    nslcd_initrc_exec_t,    nscd_ini‐
34       trc_exec_t,    squid_initrc_exec_t,   nagios_initrc_exec_t,   tgtd_ini‐
35       trc_exec_t,   sshd_initrc_exec_t,   naemon_initrc_exec_t,    sblim_ini‐
36       trc_exec_t,   sendmail_initrc_exec_t,  zabbix_initrc_exec_t,  sssd_ini‐
37       trc_exec_t, rpcbind_initrc_exec_t, ntpd_initrc_exec_t,  pcp_plugin_ini‐
38       trc_exec_t,    spamd_initrc_exec_t,    exim_initrc_exec_t,    nfsd_ini‐
39       trc_exec_t, snort_initrc_exec_t, shell_exec_t,  minidlna_initrc_exec_t,
40       automount_initrc_exec_t,    tuned_initrc_exec_t,    acct_initrc_exec_t,
41       mrtg_initrc_exec_t, vdagentd_initrc_exec_t,  dictd_initrc_exec_t,  var‐
42       nishlog_initrc_exec_t,      boinc_initrc_exec_t,     ccs_initrc_exec_t,
43       pads_initrc_exec_t,     zebra_initrc_exec_t,      ipa_custodia_pki_tom‐
44       cat_exec_t,   canna_initrc_exec_t,  virtlogd_initrc_exec_t,  pcscd_ini‐
45       trc_exec_t, denyhosts_initrc_exec_t, dhcpd_initrc_exec_t,  privoxy_ini‐
46       trc_exec_t,    portreserve_initrc_exec_t,   ipsec_initrc_exec_t,   ora‐
47       cleasm_initrc_exec_t, aiccu_initrc_exec_t, slapd_initrc_exec_t,  aster‐
48       isk_initrc_exec_t,  openhpid_initrc_exec_t,  vnstatd_initrc_exec_t, an‐
49       tivirus_initrc_exec_t, fail2ban_initrc_exec_t,  iptables_initrc_exec_t,
50       entropyd_initrc_exec_t,  mon_statd_initrc_exec_t,  glance_registry_ini‐
51       trc_exec_t, rhnsd_initrc_exec_t, rtkit_daemon_initrc_exec_t,  tcsd_ini‐
52       trc_exec_t,   avahi_initrc_exec_t,   jabberd_initrc_exec_t,  l2tpd_ini‐
53       trc_exec_t,       minissdpd_initrc_exec_t,        mongod_initrc_exec_t,
54       smokeping_initrc_exec_t,     puppetmaster_initrc_exec_t,    soundd_ini‐
55       trc_exec_t, iwhd_initrc_exec_t, irqbalance_initrc_exec_t,  couchdb_ini‐
56       trc_exec_t,    usr_t,    roundup_initrc_exec_t,    glance_scrubber_ini‐
57       trc_exec_t,   mysqld_initrc_exec_t,   pingd_initrc_exec_t,   crond_ini‐
58       trc_exec_t,  pcp_pmcd_initrc_exec_t, openct_initrc_exec_t, foghorn_ini‐
59       trc_exec_t,  cpuplug_initrc_exec_t,   rpcd_initrc_exec_t,   lldpad_ini‐
60       trc_exec_t,   icecast_initrc_exec_t,   shorewall_initrc_exec_t,  fsdae‐
61       mon_initrc_exec_t,     wdmd_initrc_exec_t,      likewise_initrc_exec_t,
62       clvmd_initrc_exec_t, bluetooth_initrc_exec_t, zoneminder_initrc_exec_t,
63       chronyd_initrc_exec_t,  kismet_initrc_exec_t,   cobblerd_initrc_exec_t,
64       rwho_initrc_exec_t, gpsd_initrc_exec_t, prelude_initrc_exec_t, nis_ini‐
65       trc_exec_t,  cvs_initrc_exec_t,   bacula_initrc_exec_t,   ajaxterm_ini‐
66       trc_exec_t,   uucpd_initrc_exec_t,  mcelog_initrc_exec_t,  fcoemon_ini‐
67       trc_exec_t,   innd_initrc_exec_t,   psad_initrc_exec_t,   cmirrord_ini‐
68       trc_exec_t,      saslauthd_initrc_exec_t,     glance_api_initrc_exec_t,
69       kdump_initrc_exec_t, setrans_initrc_exec_t, named_initrc_exec_t,  cert‐
70       master_initrc_exec_t,    blkmapd_initrc_exec_t,   pki_ra_script_exec_t,
71       bitlbee_initrc_exec_t,   cfengine_initrc_exec_t,    NetworkManager_ini‐
72       trc_exec_t,   sensord_initrc_exec_t,   conntrackd_initrc_exec_t,   rab‐
73       bitmq_initrc_exec_t, dovecot_initrc_exec_t, postfix_initrc_exec_t, var‐
74       nishd_initrc_exec_t,   ksmtuned_initrc_exec_t,   pki_tps_script_exec_t,
75       smsd_initrc_exec_t, postgrey_initrc_exec_t, pcp_pmlogger_initrc_exec_t,
76       ciped_initrc_exec_t, glusterd_initrc_exec_t, ctdbd_initrc_exec_t, call‐
77       weaver_initrc_exec_t,   uuidd_initrc_exec_t,   rhsmcertd_initrc_exec_t,
78       cyphesis_initrc_exec_t, gpm_initrc_exec_t, ypbind_initrc_exec_t, bin_t,
79       pcp_pmie_initrc_exec_t,  condor_initrc_exec_t,   sysstat_initrc_exec_t,
80       ricci_initrc_exec_t,  apcupsd_initrc_exec_t, puppetagent_initrc_exec_t,
81       hddtemp_initrc_exec_t,   certmonger_initrc_exec_t,   mpd_initrc_exec_t,
82       portmap_initrc_exec_t,    munin_initrc_exec_t,   cluster_initrc_exec_t,
83       isnsd_initrc_exec_t,  initrc_exec_t,   drbd_initrc_exec_t,   cyrus_ini‐
84       trc_exec_t,  dhcpc_helper_exec_t, samba_initrc_exec_t, pcp_pmproxy_ini‐
85       trc_exec_t, mysqlmanagerd_initrc_exec_t, apmd_initrc_exec_t, virtd_ini‐
86       trc_exec_t,   amtu_initrc_exec_t,   ddclient_initrc_exec_t,  radvd_ini‐
87       trc_exec_t,  httpd_initrc_exec_t,  qpidd_initrc_exec_t,   svnserve_ini‐
88       trc_exec_t,      gdomap_initrc_exec_t,     lircd_initrc_exec_t,     pi‐
89       ranha_pulse_initrc_exec_t,  pppd_initrc_exec_t,   polipo_initrc_exec_t,
90       firewalld_initrc_exec_t,  openvpn_initrc_exec_t, vhostmd_initrc_exec_t,
91       watchdog_initrc_exec_t,     bcfg2_initrc_exec_t,      dlm_controld_ini‐
92       trc_exec_t,   fetchmail_initrc_exec_t,  pkcs_slotd_initrc_exec_t,  neu‐
93       tron_initrc_exec_t,    keystone_initrc_exec_t,     ulogd_initrc_exec_t,
94       abrt_initrc_exec_t,   radiusd_initrc_exec_t,   hypervkvp_initrc_exec_t,
95       dnsmasq_initrc_exec_t,  osad_initrc_exec_t,  mdadm_initrc_exec_t,  san‐
96       lock_initrc_exec_t file types.
97
98       The default entrypoint paths for the initrc_t domain are the following:
99
100       All  executables  with  the default executable label, usually stored in
101       /usr/bin  and  /usr/sbin.    /usr/libexec/ipa/custodia/ipa-custodia-ra-
102       agent,  /etc/rc.d/init.d/zabbix-agentd,  /usr/libexec/ipa/custodia/ipa-
103       custodia-dmldap,  /etc/rc.d/init.d/dspam,   /etc/rc.d/init.d/(snmpd|sn‐
104       mptrapd),       /etc/rc.d/init.d/cgconfig,       /etc/rc.d/init.d/slpd,
105       /etc/rc.d/init.d/arpwatch,                     /etc/rc.d/init.d/auditd,
106       /etc/rc.d/init.d/vsftpd,                      /etc/rc.d/init.d/proftpd,
107       /etc/rc.d/init.d/kprop,                       /etc/rc.d/init.d/kadmind,
108       /etc/rc.d/init.d/krb524d,                     /etc/rc.d/init.d/krb5kdc,
109       /etc/rc.d/init.d/collectd,                       /etc/rc.d/init.d/sslh,
110       /etc/rc.d/init.d/(se)?postgresql,                /etc/rc.d/init.d/ntop,
111       /etc/rc.d/init.d/memcached,                      /etc/rc.d/init.d/rngd,
112       /etc/rc.d/init.d/cups,  /etc/rc.d/init.d/rsyslog,  /etc/rc.d/init.d/re‐
113       dis,        /etc/rc.d/init.d/MailScanner,         /etc/rc.d/init.d/tor,
114       /etc/rc.d/init.d/(open)?afs,           /etc/rc.d/init.d/openafs-client,
115       /etc/rc.d/init.d/((iodined)|(iodine-server)),   /etc/rc.d/init.d/cgred,
116       /etc/rc.d/init.d/nslcd,  /etc/rc.d/init.d/nscd, /etc/rc.d/init.d/squid,
117       /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios,  /etc/rc.d/init.d/tgtd,
118       /etc/rc.d/init.d/sshd,  /etc/rc.d/init.d/naemon, /etc/rc.d/init.d/gath‐
119       erer,     /etc/rc.d/init.d/sblim-sfcbd,      /etc/rc.d/init.d/sendmail,
120       /etc/rc.d/init.d/(zabbix|zabbix-server),         /etc/rc.d/init.d/sssd,
121       /etc/rc.d/init.d/rpcbind,                        /etc/rc.d/init.d/ntpd,
122       /etc/rc.d/init.d/mimedefang.*,                  /etc/rc.d/init.d/spamd,
123       /etc/rc.d/init.d/pyzord,                       /etc/rc.d/init.d/spampd,
124       /etc/rc.d/init.d/exim,  /etc/rc.d/init.d/nfs,  /etc/rc.d/init.d/snortd,
125       /bin/d?ash,  /bin/ksh.*,  /bin/zsh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
126       /usr/bin/zsh.*,  /bin/esh,  /bin/bash, /bin/fish, /bin/mksh, /bin/sash,
127       /bin/tcsh,   /bin/yash,   /bin/bash2,   /usr/bin/esh,    /sbin/nologin,
128       /usr/bin/bash,     /usr/bin/fish,     /usr/bin/mksh,     /usr/bin/sash,
129       /usr/bin/tcsh,    /usr/bin/yash,    /usr/bin/bash2,     /usr/sbin/sesh,
130       /usr/sbin/smrsh,  /usr/bin/scponly,  /usr/libexec/sesh, /usr/sbin/nolo‐
131       gin,  /usr/bin/git-shell,  /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,
132       /usr/bin/cockpit-bridge,  /usr/libexec/cockpit-agent, /usr/libexec/git-
133       core/git-shell,   /etc/rc.d/init.d/minidlna,   /etc/rc.d/init.d/autofs,
134       /etc/rc.d/init.d/tuned, /etc/rc.d/init.d/psacct, /etc/rc.d/init.d/mrtg,
135       /etc/rc.d/init.d/spice-vdagentd,                /etc/rc.d/init.d/dictd,
136       /etc/rc.d/init.d/varnishlog,              /etc/rc.d/init.d/varnishncsa,
137       /etc/rc.d/init.d/boinc-client,         /etc/rc.d/init.d/((ccs)|(ccsd)),
138       /etc/rc.d/init.d/pads,   /etc/rc.d/init.d/bgpd,  /etc/rc.d/init.d/ripd,
139       /etc/rc.d/init.d/isisd, /etc/rc.d/init.d/ospfd, /etc/rc.d/init.d/zebra,
140       /etc/rc.d/init.d/babeld, /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/rip‐
141       ngd,                 /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat,
142       /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped,
143       /etc/rc.d/init.d/canna, /etc/rc.d/init.d/virtlogd, /etc/rc.d/init.d/pc‐
144       scd,       /etc/rc.d/init.d/denyhosts,      /etc/rc.d/init.d/dhcpd(6)?,
145       /etc/rc.d/init.d/dhcrelay(6)?,                /etc/rc.d/init.d/privoxy,
146       /etc/rc.d/init.d/portreserve,                   /etc/rc.d/init.d/ipsec,
147       /etc/rc.d/init.d/racoon,                   /etc/rc.d/init.d/strongswan,
148       /etc/rc.d/init.d/oracleasm,                     /etc/rc.d/init.d/aiccu,
149       /etc/rc.d/init.d/slapd,                      /etc/rc.d/init.d/asterisk,
150       /etc/rc.d/init.d/openhpid,                     /etc/rc.d/init.d/vnstat,
151       /etc/rc.d/init.d/clamd.*,                      /etc/rc.d/init.d/amavis,
152       /etc/rc.d/init.d/amavisd-snmp,               /etc/rc.d/init.d/fail2ban,
153       /etc/rc.d/init.d/ip6?tables,                 /etc/rc.d/init.d/ebtables,
154       /etc/rc.d/init.d/nftables,                 /etc/rc.d/init.d/((audio-en‐
155       tropyd)|(haveged)), /etc/rc.d/init.d/mon_statd,  /etc/rc.d/init.d/open‐
156       stack-glance-registry,  /etc/rc.d/init.d/rhnsd, /etc/rc.d/init.d/rtkit-
157       daemon,   /etc/rc.d/init.d/(tcsd|trousers),   /etc/rc.d/init.d/avahi.*,
158       /etc/rc.d/init.d/jabberd,                     /etc/rc.d/init.d/.*l2tpd,
159       /etc/rc.d/init.d/minissdpd,                    /etc/rc.d/init.d/mongod,
160       /etc/rc.d/init.d/mongos,                    /etc/rc.d/init.d/smokeping,
161       /etc/rc.d/init.d/puppetmaster,                   /etc/rc.d/init.d/nasd,
162       /etc/rc.d/init.d/iwhd,                     /etc/rc.d/init.d/irqbalance,
163       /etc/rc.d/init.d/couchdb, /opt/.*,  /usr/.*,  /emul/.*,  /export(/.*)?,
164       /ostree(/.*)?,       /usr/doc(/.*)?/lib(/.*)?,      /usr/inclu.e(/.*)?,
165       /usr/share/rpm(/.*)?,   /usr/share/doc(/.*)?/README.*,    /usr/lib/mod‐
166       ules(/.*)/vmlinuz, /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysim‐
167       age(/.*)?,    /usr/lib/ostree-boot(/.*)?,    /opt,     /usr,     /emul,
168       /etc/rc.d/init.d/roundup,   /etc/rc.d/init.d/openstack-glance-scrubber,
169       /etc/rc.d/init.d/mysqld,                /etc/rc.d/init.d/whatsup-pingd,
170       /etc/rc.d/init.d/atd, /etc/rc.d/init.d/pmcd, /usr/libexec/pcp/lib/pmcd,
171       /etc/rc.d/init.d/openct,                     /etc/rc.d/init.d/cpuplugd,
172       /etc/rc.d/init.d/nfslock,                   /etc/rc.d/init.d/rpcidmapd,
173       /etc/rc.d/init.d/lldpad,                      /etc/rc.d/init.d/icecast,
174       /etc/rc.d/init.d/shorewall.*,  /etc/rc.d/init.d/(smartd|smartmontools),
175       /etc/rc.d/init.d/wdmd, /etc/rc.d/init.d/lwiod,  /etc/rc.d/init.d/lwsmd,
176       /etc/rc.d/init.d/lsassd,                       /etc/rc.d/init.d/lwregd,
177       /etc/rc.d/init.d/dcerpcd,                     /etc/rc.d/init.d/srvsvcd,
178       /etc/rc.d/init.d/likewise,                  /etc/rc.d/init.d/eventlogd,
179       /etc/rc.d/init.d/netlogond,                      /etc/rc.d/init.d/dund,
180       /etc/rc.d/init.d/pand,                      /etc/rc.d/init.d/bluetooth,
181       /etc/rc.d/init.d/zoneminder,                  /etc/rc.d/init.d/chronyd,
182       /etc/rc.d/init.d/kismet.*,                   /etc/rc.d/init.d/cobblerd,
183       /etc/rc.d/init.d/rwhod,  /etc/rc.d/init.d/gpsd,   /etc/rc.d/init.d/pre‐
184       lude-lml,  /etc/rc.d/init.d/prelude-manager,  /etc/rc.d/init.d/prelude-
185       correlator,      /etc/rc.d/init.d/ypserv,      /etc/rc.d/init.d/ypxfrd,
186       /etc/rc.d/init.d/yppasswd,  /etc/rc.d/init.d/cvs, /etc/rc.d/init.d/bac‐
187       ula.*,        /etc/rc.d/init.d/ajaxterm,         /etc/rc.d/init.d/uucp,
188       /etc/rc.d/init.d/mcelog,  /etc/rc.d/init.d/fcoe, /etc/rc.d/init.d/innd,
189       /etc/rc.d/init.d/psad,                       /etc/rc.d/init.d/cmirrord,
190       /etc/rc.d/init.d/sasl,           /etc/rc.d/init.d/openstack-glance-api,
191       /etc/rc.d/init.d/kdump,                      /etc/rc.d/init.d/mcstrans,
192       /etc/rc.d/init.d/named,                       /etc/rc.d/init.d/unbound,
193       /etc/rc.d/init.d/named-sdb,                /etc/rc.d/init.d/certmaster,
194       /etc/rc.d/init.d/blkmapd,                     /etc/rc.d/init.d/bitlbee,
195       /etc/rc.d/init.d/((cf-serverd)|(cf-monitord)|(cf-execd)),
196       /etc/rc.d/init.d/wicd,  /etc/rc.d/init.d/sensord, /etc/rc.d/init.d/rab‐
197       bitmq-server,    /etc/rc.d/init.d/dovecot,    /etc/rc.d/init.d/postfix,
198       /etc/rc.d/init.d/varnish,                    /etc/rc.d/init.d/ksmtuned,
199       /etc/rc.d/init.d/smsd, /etc/rc.d/init.d/postgrey,  /etc/rc.d/init.d/pm‐
200       logger,     /usr/libexec/pcp/lib/pmlogger,    /etc/rc.d/init.d/ciped.*,
201       /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd,  /etc/rc.d/init.d/ctdb,
202       /etc/rc.d/init.d/callweaver,                    /etc/rc.d/init.d/uuidd,
203       /etc/rc.d/init.d/rhsmcertd,                  /etc/rc.d/init.d/cyphesis,
204       /etc/rc.d/init.d/gpm,  /etc/rc.d/init.d/ypbind,  /etc/rc.d/init.d/pmie,
205       /usr/libexec/pcp/lib/pmie,                     /etc/rc.d/init.d/condor,
206       /etc/rc.d/init.d/sysstat,                       /etc/rc.d/init.d/ricci,
207       /etc/rc.d/init.d/apcupsd, /etc/rc.d/init.d/puppet, /etc/rc.d/init.d/hd‐
208       dtemp,        /etc/rc.d/init.d/certmonger,        /etc/rc.d/init.d/mpd,
209       /etc/rc.d/init.d/portmap,                  /etc/rc.d/init.d/munin-node,
210       /etc/rc.d/init.d/openais,                    /etc/rc.d/init.d/corosync,
211       /etc/rc.d/init.d/cpglockd,                  /etc/rc.d/init.d/heartbeat,
212       /etc/rc.d/init.d/pacemaker,                 /etc/rc.d/init.d/rgmanager,
213       /etc/rc.d/init.d/isnsd,       /etc/init.d/.*,       /etc/rc.d/rc.[^/]+,
214       /etc/rc.d/init.d/.*,                    /opt/nfast/sbin/init.d-ncipher,
215       /usr/libexec/dcc/stop-.*,   /usr/libexec/dcc/start-.*,    /usr/lib/sys‐
216       temd/fedora[^/]*,     /opt/nfast/scripts/init.d/(.*),     /etc/rc.d/rc,
217       /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl,  /usr/sbin/start-
218       dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
219       fig/network-scripts/ifup-ipsec,  /usr/share/system-config-services/sys‐
220       tem-config-services-mechanism.py,                /etc/rc.d/init.d/drbd,
221       /etc/rc.d/init.d/cyrus.*,              /etc/firestarter/firestarter.sh,
222       /etc/rc.d/init.d/nmb,  /etc/rc.d/init.d/smb,  /etc/rc.d/init.d/winbind,
223       /etc/rc.d/init.d/pmproxy,                 /usr/libexec/pcp/lib/pmproxy,
224       /etc/rc.d/init.d/mysqlmanager,                  /etc/rc.d/init.d/acpid,
225       /etc/rc.d/init.d/libvirtd, /etc/rc.d/init.d/amtu,  /etc/rc.d/init.d/dd‐
226       client,          /etc/rc.d/init.d/radvd,          /etc/init.d/cherokee,
227       /etc/rc.d/init.d/httpd,                      /etc/rc.d/init.d/lighttpd,
228       /etc/rc.d/init.d/qpidd,                      /etc/rc.d/init.d/svnserve,
229       /etc/rc.d/init.d/gdomap, /etc/rc.d/init.d/lirc, /etc/rc.d/init.d/pulse,
230       /etc/ppp/(auth|ip(v6|x)?)-(up|down),              /etc/rc.d/init.d/ppp,
231       /etc/rc.d/init.d/polipo,                    /etc/rc.d/init.d/firewalld,
232       /etc/rc.d/init.d/openvpn,                     /etc/rc.d/init.d/vhostmd,
233       /etc/rc.d/init.d/watchdog,               /etc/rc.d/init.d/bcfg2-server,
234       /etc/rc.d/init.d/fetchmail,                 /etc/rc.d/init.d/pkcsslotd,
235       /etc/rc.d/init.d/neutron.*,                 /etc/rc.d/init.d/quantum.*,
236       /etc/rc.d/init.d/openstack-keystone,            /etc/rc.d/init.d/ulogd,
237       /etc/rc.d/init.d/abrt,  /etc/rc.d/init.d/radiusd,  /etc/rc.d/init.d/hy‐
238       pervkvpd,        /etc/rc.d/init.d/dnsmasq,       /etc/rc.d/init.d/osad,
239       /etc/rc.d/init.d/mdmonitor, /etc/rc.d/init.d/sanlock
240

PROCESS TYPES

242       SELinux defines process types (domains) for each process running on the
243       system
244
245       You can see the context of a process using the -Z option to ps
246
247       Policy  governs  the  access confined processes have to files.  SELinux
248       initrc policy is very flexible allowing users  to  setup  their  initrc
249       processes in as secure a method as possible.
250
251       The following process types are defined for initrc:
252
253       initrc_t
254
255       Note:  semanage  permissive -a initrc_t can be used to make the process
256       type initrc_t permissive. SELinux does not deny  access  to  permissive
257       process  types, but the AVC (SELinux denials) messages are still gener‐
258       ated.
259
260

BOOLEANS

262       SELinux policy is customizable based on least access required.   initrc
263       policy is extremely flexible and has several booleans that allow you to
264       manipulate the policy and run initrc with the tightest access possible.
265
266
267
268       If you want to deny user domains applications to map a memory region as
269       both  executable  and  writable,  this  is dangerous and the executable
270       should be reported in bugzilla, you must turn on the deny_execmem bool‐
271       ean. Enabled by default.
272
273       setsebool -P deny_execmem 1
274
275
276
277       If  you  want  to control the ability to mmap a low area of the address
278       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
279       the mmap_low_allowed boolean. Disabled by default.
280
281       setsebool -P mmap_low_allowed 1
282
283
284
285       If  you want to disable kernel module loading, you must turn on the se‐
286       cure_mode_insmod boolean. Enabled by default.
287
288       setsebool -P secure_mode_insmod 1
289
290
291
292       If you want to allow unconfined executables to make their  heap  memory
293       executable.   Doing  this  is  a  really bad idea. Probably indicates a
294       badly coded executable, but could indicate an attack.  This  executable
295       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
296       echeap boolean. Disabled by default.
297
298       setsebool -P selinuxuser_execheap 1
299
300
301
302       If you want to allow unconfined executables to make  their  stack  exe‐
303       cutable.   This  should  never, ever be necessary. Probably indicates a
304       badly coded executable, but could indicate an attack.  This  executable
305       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
306       stack boolean. Enabled by default.
307
308       setsebool -P selinuxuser_execstack 1
309
310
311

MANAGED FILES

313       The SELinux process type initrc_t can manage  files  labeled  with  the
314       following file types.  The paths listed are the default paths for these
315       file types.  Note the processes UID still need to have DAC permissions.
316
317       file_type
318
319            all files on the system
320
321

FILE CONTEXTS

323       SELinux requires files to have an extended attribute to define the file
324       type.
325
326       You can see the context of a file using the -Z option to ls
327
328       Policy  governs  the  access  confined  processes  have to these files.
329       SELinux initrc policy is very flexible allowing users  to  setup  their
330       initrc processes in as secure a method as possible.
331
332       STANDARD FILE CONTEXT
333
334       SELinux defines the file context types for the initrc, if you wanted to
335       store files with these types in a diffent paths, you  need  to  execute
336       the  semanage  command  to  specify alternate labeling and then use re‐
337       storecon to put the labels on disk.
338
339       semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
340       restorecon -R -v /srv/myinitrc_content
341
342       Note: SELinux often uses regular expressions  to  specify  labels  that
343       match multiple files.
344
345       The following file types are defined for initrc:
346
347
348
349       initrc_devpts_t
350
351       -  Set  files  with  the initrc_devpts_t type, if you want to treat the
352       files as initrc devpts data.
353
354
355
356       initrc_exec_t
357
358       - Set files with the initrc_exec_t type, if you want to  transition  an
359       executable to the initrc_t domain.
360
361
362       Paths:
363            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
364            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
365            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
366            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
367            /usr/sbin/startx,    /usr/bin/sepg_ctl,    /usr/sbin/start-dirsrv,
368            /usr/sbin/open_init_pty,  /usr/sbin/restart-dirsrv,   /etc/syscon‐
369            fig/network-scripts/ifup-ipsec,      /usr/share/system-config-ser‐
370            vices/system-config-services-mechanism.py
371
372
373       initrc_state_t
374
375       - Set files with the initrc_state_t type, if  you  want  to  treat  the
376       files as initrc state data.
377
378
379
380       initrc_tmp_t
381
382       -  Set  files  with  the initrc_tmp_t type, if you want to store initrc
383       temporary files in the /tmp directories.
384
385
386
387       initrc_var_log_t
388
389       - Set files with the initrc_var_log_t type, if you want  to  treat  the
390       data  as  initrc var log data, usually stored under the /var/log direc‐
391       tory.
392
393
394
395       initrc_var_run_t
396
397       - Set files with the initrc_var_run_t type, if you want  to  store  the
398       initrc files under the /run or /var/run directory.
399
400
401       Paths:
402            /var/run/utmp,     /var/run/random-seed,    /var/run/runlevel.dir,
403            /var/run/setmixer_flag
404
405
406       Note: File context can be temporarily modified with the chcon  command.
407       If  you want to permanently change the file context you need to use the
408       semanage fcontext command.  This will modify the SELinux labeling data‐
409       base.  You will need to use restorecon to apply the labels.
410
411

COMMANDS

413       semanage  fcontext  can also be used to manipulate default file context
414       mappings.
415
416       semanage permissive can also be used to manipulate  whether  or  not  a
417       process type is permissive.
418
419       semanage  module can also be used to enable/disable/install/remove pol‐
420       icy modules.
421
422       semanage boolean can also be used to manipulate the booleans
423
424
425       system-config-selinux is a GUI tool available to customize SELinux pol‐
426       icy settings.
427
428

AUTHOR

430       This manual page was auto-generated using sepolicy manpage .
431
432