1init_selinux(8) SELinux Policy init init_selinux(8)
2
3
4
6 init_selinux - Security Enhanced Linux Policy for the init processes
7
9 Security-Enhanced Linux secures the init processes via flexible manda‐
10 tory access control.
11
12 The init processes execute with the init_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep init_t
19
20
21
23 The init_t SELinux type can be entered via the init_exec_t,
24 shell_exec_t file types.
25
26 The default entrypoint paths for the init_t domain are the following:
27
28 /sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*,
29 /usr/lib/systemd/system-generators/[^/]*, /bin/systemd, /sbin/upstart,
30 /usr/bin/systemd, /usr/sbin/upstart, /bin/d?ash, /bin/ksh.*,
31 /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh,
32 /bin/bash, /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
33 /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash, /usr/bin/fish,
34 /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
35 /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
36 /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-shell,
37 /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
38 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell
39
41 SELinux defines process types (domains) for each process running on the
42 system
43
44 You can see the context of a process using the -Z option to ps
45
46 Policy governs the access confined processes have to files. SELinux
47 init policy is very flexible allowing users to setup their init pro‐
48 cesses in as secure a method as possible.
49
50 The following process types are defined for init:
51
52 init_t, initrc_t
53
54 Note: semanage permissive -a init_t can be used to make the process
55 type init_t permissive. SELinux does not deny access to permissive
56 process types, but the AVC (SELinux denials) messages are still gener‐
57 ated.
58
59
61 SELinux policy is customizable based on least access required. init
62 policy is extremely flexible and has several booleans that allow you to
63 manipulate the policy and run init with the tightest access possible.
64
65
66
67 If you want to allow init audit_control capability, you must turn on
68 the init_audit_control boolean. Disabled by default.
69
70 setsebool -P init_audit_control 1
71
72
73
74 If you want to enable init create, setattr, mounton on non_secu‐
75 rity_file_type, you must turn on the init_create_dirs boolean. Enabled
76 by default.
77
78 setsebool -P init_create_dirs 1
79
80
81
82 If you want to deny all system processes and Linux users to use blue‐
83 tooth wireless technology, you must turn on the deny_bluetooth boolean.
84 Enabled by default.
85
86 setsebool -P deny_bluetooth 1
87
88
89
90 If you want to allow all domains to execute in fips_mode, you must turn
91 on the fips_mode boolean. Enabled by default.
92
93 setsebool -P fips_mode 1
94
95
96
97 If you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
98 you must turn on the nagios_run_sudo boolean. Disabled by default.
99
100 setsebool -P nagios_run_sudo 1
101
102
103
104 If you want to disable kernel module loading, you must turn on the se‐
105 cure_mode_insmod boolean. Enabled by default.
106
107 setsebool -P secure_mode_insmod 1
108
109
110
112 The SELinux process type init_t can manage files labeled with the fol‐
113 lowing file types. The paths listed are the default paths for these
114 file types. Note the processes UID still need to have DAC permissions.
115
116 auditd_etc_t
117
118 /etc/audit(/.*)?
119
120 binfmt_misc_fs_t
121
122
123 boolean_type
124
125
126 bpf_t
127
128 /sys/fs/bpf
129
130 consolekit_log_t
131
132 /var/log/ConsoleKit(/.*)?
133
134 etc_aliases_t
135
136 /etc/mail/.*.db
137 /etc/mail/aliases.*
138 /etc/postfix/aliases.*
139 /etc/aliases
140 /etc/aliases.db
141
142 faillog_t
143
144 /var/log/btmp.*
145 /var/log/faillog.*
146 /var/log/tallylog.*
147 /var/run/faillock(/.*)?
148
149 gnome_home_type
150
151
152 init_tmp_t
153
154
155 init_var_lib_t
156
157 /var/lib/systemd(/.*)?
158 /var/lib/private/systemd(/.*)?
159
160 initrc_state_t
161
162
163 krb5_host_rcache_t
164
165 /var/tmp/krb5_0.rcache2
166 /var/cache/krb5rcache(/.*)?
167 /var/tmp/nfs_0
168 /var/tmp/DNS_25
169 /var/tmp/host_0
170 /var/tmp/imap_0
171 /var/tmp/HTTP_23
172 /var/tmp/HTTP_48
173 /var/tmp/ldap_55
174 /var/tmp/ldap_487
175 /var/tmp/ldapmap1_0
176
177 krb5_keytab_t
178
179 /var/kerberos/krb5(/.*)?
180 /etc/krb5.keytab
181 /etc/krb5kdc/kadm5.keytab
182 /var/kerberos/krb5kdc/kadm5.keytab
183
184 lastlog_t
185
186 /var/log/lastlog.*
187
188 lockfile
189
190
191 mnt_t
192
193 /mnt(/[^/]*)?
194 /mnt(/[^/]*)?
195 /rhev(/[^/]*)?
196 /rhev/[^/]*/.*
197 /media(/[^/]*)?
198 /media(/[^/]*)?
199 /media/.hal-.*
200 /var/run/media(/[^/]*)?
201 /afs
202 /net
203 /misc
204 /rhev
205
206 print_spool_t
207
208 /var/spool/lpd(/.*)?
209 /var/spool/cups(/.*)?
210 /var/spool/cups-pdf(/.*)?
211
212 random_seed_t
213
214 /var/lib/random-seed
215 /usr/var/lib/random-seed
216
217 svirt_file_type
218
219
220 sysctl_type
221
222
223 sysfs_t
224
225 /sys(/.*)?
226
227 systemd_home_t
228
229 /root/.local/share/systemd(/.*)?
230 /home/[^/]+/.local/share/systemd(/.*)?
231
232 systemd_unit_file_type
233
234
235 tmpfs_t
236
237 /dev/shm
238 /var/run/shm
239 /usr/lib/udev/devices/shm
240
241 udev_rules_t
242
243 /etc/udev/rules.d(/.*)?
244
245 var_lib_nfs_t
246
247 /var/lib/nfs(/.*)?
248
249 var_lib_t
250
251 /opt/(.*/)?var/lib(/.*)?
252 /var/lib(/.*)?
253
254 var_log_t
255
256 /var/log/.*
257 /nsr/logs(/.*)?
258 /var/webmin(/.*)?
259 /var/log/secure[^/]*
260 /opt/zimbra/log(/.*)?
261 /var/log/maillog[^/]*
262 /var/log/spooler[^/]*
263 /var/log/messages[^/]*
264 /usr/centreon/log(/.*)?
265 /var/spool/rsyslog(/.*)?
266 /var/axfrdns/log/main(/.*)?
267 /var/spool/bacula/log(/.*)?
268 /var/tinydns/log/main(/.*)?
269 /var/dnscache/log/main(/.*)?
270 /var/stockmaniac/templates_cache(/.*)?
271 /opt/Symantec/scspagent/IDS/system(/.*)?
272 /var/log
273 /var/log/dmesg
274 /var/log/syslog
275 /var/named/chroot/var/log
276
277 wtmp_t
278
279 /var/log/wtmp.*
280
281
283 SELinux requires files to have an extended attribute to define the file
284 type.
285
286 You can see the context of a file using the -Z option to ls
287
288 Policy governs the access confined processes have to these files.
289 SELinux init policy is very flexible allowing users to setup their init
290 processes in as secure a method as possible.
291
292 EQUIVALENCE DIRECTORIES
293
294
295 init policy stores data with multiple different file context types un‐
296 der the /var/run/systemd directory. If you would like to store the
297 data in a different directory you can use the semanage command to cre‐
298 ate an equivalence mapping. If you wanted to store this data under the
299 /srv directory you would execute the following command:
300
301 semanage fcontext -a -e /var/run/systemd /srv/systemd
302 restorecon -R -v /srv/systemd
303
304 STANDARD FILE CONTEXT
305
306 SELinux defines the file context types for the init, if you wanted to
307 store files with these types in a diffent paths, you need to execute
308 the semanage command to specify alternate labeling and then use re‐
309 storecon to put the labels on disk.
310
311 semanage fcontext -a -t initrc_var_run_t '/srv/myinit_content(/.*)?'
312 restorecon -R -v /srv/myinit_content
313
314 Note: SELinux often uses regular expressions to specify labels that
315 match multiple files.
316
317 The following file types are defined for init:
318
319
320
321 init_exec_t
322
323 - Set files with the init_exec_t type, if you want to transition an ex‐
324 ecutable to the init_t domain.
325
326
327 Paths:
328 /sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*,
329 /usr/lib/systemd/system-generators/[^/]*, /bin/systemd, /sbin/up‐
330 start, /usr/bin/systemd, /usr/sbin/upstart
331
332
333 init_tmp_t
334
335 - Set files with the init_tmp_t type, if you want to store init tempo‐
336 rary files in the /tmp directories.
337
338
339
340 init_var_lib_t
341
342 - Set files with the init_var_lib_t type, if you want to store the init
343 files under the /var/lib directory.
344
345
346 Paths:
347 /var/lib/systemd(/.*)?, /var/lib/private/systemd(/.*)?
348
349
350 init_var_run_t
351
352 - Set files with the init_var_run_t type, if you want to store the init
353 files under the /run or /var/run directory.
354
355
356
357 initctl_t
358
359 - Set files with the initctl_t type, if you want to treat the files as
360 initctl data.
361
362
363 Paths:
364 /dev/initctl, /var/run/initctl, /var/run/systemd/initctl/fifo
365
366
367 initrc_devpts_t
368
369 - Set files with the initrc_devpts_t type, if you want to treat the
370 files as initrc devpts data.
371
372
373
374 initrc_exec_t
375
376 - Set files with the initrc_exec_t type, if you want to transition an
377 executable to the initrc_t domain.
378
379
380 Paths:
381 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
382 /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*,
383 /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*,
384 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
385 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-dirsrv,
386 /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
387 fig/network-scripts/ifup-ipsec, /usr/share/system-config-ser‐
388 vices/system-config-services-mechanism.py
389
390
391 initrc_state_t
392
393 - Set files with the initrc_state_t type, if you want to treat the
394 files as initrc state data.
395
396
397
398 initrc_tmp_t
399
400 - Set files with the initrc_tmp_t type, if you want to store initrc
401 temporary files in the /tmp directories.
402
403
404
405 initrc_var_log_t
406
407 - Set files with the initrc_var_log_t type, if you want to treat the
408 data as initrc var log data, usually stored under the /var/log direc‐
409 tory.
410
411
412
413 initrc_var_run_t
414
415 - Set files with the initrc_var_run_t type, if you want to store the
416 initrc files under the /run or /var/run directory.
417
418
419 Paths:
420 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
421 /var/run/setmixer_flag
422
423
424 Note: File context can be temporarily modified with the chcon command.
425 If you want to permanently change the file context you need to use the
426 semanage fcontext command. This will modify the SELinux labeling data‐
427 base. You will need to use restorecon to apply the labels.
428
429
431 semanage fcontext can also be used to manipulate default file context
432 mappings.
433
434 semanage permissive can also be used to manipulate whether or not a
435 process type is permissive.
436
437 semanage module can also be used to enable/disable/install/remove pol‐
438 icy modules.
439
440 semanage boolean can also be used to manipulate the booleans
441
442
443 system-config-selinux is a GUI tool available to customize SELinux pol‐
444 icy settings.
445
446
448 This manual page was auto-generated using sepolicy manpage .
449
450
452 selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
453 setsebool(8)
454
455
456
457init 22-05-27 init_selinux(8)