init_selinux(8)

1init_selinux(8)               SELinux Policy init              init_selinux(8)
2
3
4

NAME

6       init_selinux - Security Enhanced Linux Policy for the init processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the init processes via flexible manda‐
10       tory access control.
11
12       The init processes execute with the init_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep init_t
19
20
21

ENTRYPOINTS

23       The  init_t  SELinux  type  can  be  entered   via   the   init_exec_t,
24       shell_exec_t file types.
25
26       The default entrypoint paths for the init_t domain are the following:
27
28       /sbin/init(ng)?,      /usr/sbin/init(ng)?,      /usr/lib/systemd/[^/]*,
29       /usr/lib/systemd/system-generators/[^/]*, /bin/systemd,  /sbin/upstart,
30       /usr/bin/systemd,     /usr/sbin/upstart,     /bin/d?ash,    /bin/ksh.*,
31       /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh,
32       /bin/bash,   /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,  /bin/yash,
33       /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash,  /usr/bin/fish,
34       /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,     /usr/bin/yash,
35       /usr/bin/bash2,  /usr/sbin/sesh,   /usr/sbin/smrsh,   /usr/bin/scponly,
36       /usr/libexec/sesh,        /usr/sbin/nologin,        /usr/bin/git-shell,
37       /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,   /usr/bin/cockpit-bridge,
38       /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       init  policy  is  very flexible allowing users to setup their init pro‐
48       cesses in as secure a method as possible.
49
50       The following process types are defined for init:
51
52       init_t, initrc_t
53
54       Note: semanage permissive -a init_t can be used  to  make  the  process
55       type  init_t  permissive.  SELinux  does  not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux  policy  is  customizable based on least access required.  init
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate the policy and run init with the tightest access possible.
64
65
66
67       If  you  want  to allow init audit_control capability, you must turn on
68       the init_audit_control boolean. Disabled by default.
69
70       setsebool -P init_audit_control 1
71
72
73
74       If you want to  enable  init  create,  setattr,  mounton  on  non_secu‐
75       rity_file_type,  you must turn on the init_create_dirs boolean. Enabled
76       by default.
77
78       setsebool -P init_create_dirs 1
79
80
81
82       If you want to deny all system processes and Linux users to  use  blue‐
83       tooth wireless technology, you must turn on the deny_bluetooth boolean.
84       Enabled by default.
85
86       setsebool -P deny_bluetooth 1
87
88
89
90       If you want to allow all domains to execute in fips_mode, you must turn
91       on the fips_mode boolean. Enabled by default.
92
93       setsebool -P fips_mode 1
94
95
96
97       If  you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
98       you must turn on the nagios_run_sudo boolean. Disabled by default.
99
100       setsebool -P nagios_run_sudo 1
101
102
103
104       If you want to disable kernel module loading, you must turn on the  se‐
105       cure_mode_insmod boolean. Enabled by default.
106
107       setsebool -P secure_mode_insmod 1
108
109
110

MANAGED FILES

112       The  SELinux process type init_t can manage files labeled with the fol‐
113       lowing file types.  The paths listed are the default  paths  for  these
114       file types.  Note the processes UID still need to have DAC permissions.
115
116       auditd_etc_t
117
118            /etc/audit(/.*)?
119
120       binfmt_misc_fs_t
121
122
123       boolean_type
124
125
126       bpf_t
127
128            /sys/fs/bpf
129
130       consolekit_log_t
131
132            /var/log/ConsoleKit(/.*)?
133
134       etc_aliases_t
135
136            /etc/mail/.*.db
137            /etc/mail/aliases.*
138            /etc/postfix/aliases.*
139            /etc/aliases
140            /etc/aliases.db
141
142       faillog_t
143
144            /var/log/btmp.*
145            /var/log/faillog.*
146            /var/log/tallylog.*
147            /var/run/faillock(/.*)?
148
149       gnome_home_type
150
151
152       init_tmp_t
153
154
155       init_var_lib_t
156
157            /var/lib/systemd(/.*)?
158            /var/lib/private/systemd(/.*)?
159
160       initrc_state_t
161
162
163       krb5_host_rcache_t
164
165            /var/tmp/krb5_0.rcache2
166            /var/cache/krb5rcache(/.*)?
167            /var/tmp/nfs_0
168            /var/tmp/DNS_25
169            /var/tmp/host_0
170            /var/tmp/imap_0
171            /var/tmp/HTTP_23
172            /var/tmp/HTTP_48
173            /var/tmp/ldap_55
174            /var/tmp/ldap_487
175            /var/tmp/ldapmap1_0
176
177       krb5_keytab_t
178
179            /var/kerberos/krb5(/.*)?
180            /etc/krb5.keytab
181            /etc/krb5kdc/kadm5.keytab
182            /var/kerberos/krb5kdc/kadm5.keytab
183
184       lastlog_t
185
186            /var/log/lastlog.*
187
188       lockfile
189
190
191       mnt_t
192
193            /mnt(/[^/]*)?
194            /mnt(/[^/]*)?
195            /rhev(/[^/]*)?
196            /rhev/[^/]*/.*
197            /media(/[^/]*)?
198            /media(/[^/]*)?
199            /media/.hal-.*
200            /var/run/media(/[^/]*)?
201            /afs
202            /net
203            /misc
204            /rhev
205
206       print_spool_t
207
208            /var/spool/lpd(/.*)?
209            /var/spool/cups(/.*)?
210            /var/spool/cups-pdf(/.*)?
211
212       random_seed_t
213
214            /var/lib/random-seed
215            /usr/var/lib/random-seed
216
217       svirt_file_type
218
219
220       sysctl_type
221
222
223       sysfs_t
224
225            /sys(/.*)?
226
227       systemd_home_t
228
229            /root/.local/share/systemd(/.*)?
230            /home/[^/]+/.local/share/systemd(/.*)?
231
232       systemd_unit_file_type
233
234
235       tmpfs_t
236
237            /dev/shm
238            /var/run/shm
239            /usr/lib/udev/devices/shm
240
241       udev_rules_t
242
243            /etc/udev/rules.d(/.*)?
244
245       var_lib_nfs_t
246
247            /var/lib/nfs(/.*)?
248
249       var_lib_t
250
251            /opt/(.*/)?var/lib(/.*)?
252            /var/lib(/.*)?
253
254       var_log_t
255
256            /var/log/.*
257            /nsr/logs(/.*)?
258            /var/webmin(/.*)?
259            /var/log/secure[^/]*
260            /opt/zimbra/log(/.*)?
261            /var/log/maillog[^/]*
262            /var/log/spooler[^/]*
263            /var/log/messages[^/]*
264            /usr/centreon/log(/.*)?
265            /var/spool/rsyslog(/.*)?
266            /var/axfrdns/log/main(/.*)?
267            /var/spool/bacula/log(/.*)?
268            /var/tinydns/log/main(/.*)?
269            /var/dnscache/log/main(/.*)?
270            /var/stockmaniac/templates_cache(/.*)?
271            /opt/Symantec/scspagent/IDS/system(/.*)?
272            /var/log
273            /var/log/dmesg
274            /var/log/syslog
275            /var/named/chroot/var/log
276
277       wtmp_t
278
279            /var/log/wtmp.*
280
281

FILE CONTEXTS

283       SELinux requires files to have an extended attribute to define the file
284       type.
285
286       You can see the context of a file using the -Z option to ls
287
288       Policy governs the access  confined  processes  have  to  these  files.
289       SELinux init policy is very flexible allowing users to setup their init
290       processes in as secure a method as possible.
291
292       EQUIVALENCE DIRECTORIES
293
294
295       init policy stores data with multiple different file context types  un‐
296       der  the  /var/run/systemd  directory.   If you would like to store the
297       data in a different directory you can use the semanage command to  cre‐
298       ate an equivalence mapping.  If you wanted to store this data under the
299       /srv directory you would execute the following command:
300
301       semanage fcontext -a -e /var/run/systemd /srv/systemd
302       restorecon -R -v /srv/systemd
303
304       STANDARD FILE CONTEXT
305
306       SELinux defines the file context types for the init, if you  wanted  to
307       store  files  with  these types in a diffent paths, you need to execute
308       the semanage command to specify alternate labeling  and  then  use  re‐
309       storecon to put the labels on disk.
310
311       semanage fcontext -a -t initrc_var_run_t '/srv/myinit_content(/.*)?'
312       restorecon -R -v /srv/myinit_content
313
314       Note:  SELinux  often  uses  regular expressions to specify labels that
315       match multiple files.
316
317       The following file types are defined for init:
318
319
320
321       init_exec_t
322
323       - Set files with the init_exec_t type, if you want to transition an ex‐
324       ecutable to the init_t domain.
325
326
327       Paths:
328            /sbin/init(ng)?,    /usr/sbin/init(ng)?,   /usr/lib/systemd/[^/]*,
329            /usr/lib/systemd/system-generators/[^/]*, /bin/systemd,  /sbin/up‐
330            start, /usr/bin/systemd, /usr/sbin/upstart
331
332
333       init_tmp_t
334
335       -  Set files with the init_tmp_t type, if you want to store init tempo‐
336       rary files in the /tmp directories.
337
338
339
340       init_var_lib_t
341
342       - Set files with the init_var_lib_t type, if you want to store the init
343       files under the /var/lib directory.
344
345
346       Paths:
347            /var/lib/systemd(/.*)?, /var/lib/private/systemd(/.*)?
348
349
350       init_var_run_t
351
352       - Set files with the init_var_run_t type, if you want to store the init
353       files under the /run or /var/run directory.
354
355
356
357       initctl_t
358
359       - Set files with the initctl_t type, if you want to treat the files  as
360       initctl data.
361
362
363       Paths:
364            /dev/initctl, /var/run/initctl, /var/run/systemd/initctl/fifo
365
366
367       initrc_devpts_t
368
369       -  Set  files  with  the initrc_devpts_t type, if you want to treat the
370       files as initrc devpts data.
371
372
373
374       initrc_exec_t
375
376       - Set files with the initrc_exec_t type, if you want to  transition  an
377       executable to the initrc_t domain.
378
379
380       Paths:
381            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
382            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
383            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
384            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
385            /usr/sbin/startx,    /usr/bin/sepg_ctl,    /usr/sbin/start-dirsrv,
386            /usr/sbin/open_init_pty,  /usr/sbin/restart-dirsrv,   /etc/syscon‐
387            fig/network-scripts/ifup-ipsec,      /usr/share/system-config-ser‐
388            vices/system-config-services-mechanism.py
389
390
391       initrc_state_t
392
393       - Set files with the initrc_state_t type, if  you  want  to  treat  the
394       files as initrc state data.
395
396
397
398       initrc_tmp_t
399
400       -  Set  files  with  the initrc_tmp_t type, if you want to store initrc
401       temporary files in the /tmp directories.
402
403
404
405       initrc_var_log_t
406
407       - Set files with the initrc_var_log_t type, if you want  to  treat  the
408       data  as  initrc var log data, usually stored under the /var/log direc‐
409       tory.
410
411
412
413       initrc_var_run_t
414
415       - Set files with the initrc_var_run_t type, if you want  to  store  the
416       initrc files under the /run or /var/run directory.
417
418
419       Paths:
420            /var/run/utmp,     /var/run/random-seed,    /var/run/runlevel.dir,
421            /var/run/setmixer_flag
422
423
424       Note: File context can be temporarily modified with the chcon  command.
425       If  you want to permanently change the file context you need to use the
426       semanage fcontext command.  This will modify the SELinux labeling data‐
427       base.  You will need to use restorecon to apply the labels.
428
429

COMMANDS

431       semanage  fcontext  can also be used to manipulate default file context
432       mappings.
433
434       semanage permissive can also be used to manipulate  whether  or  not  a
435       process type is permissive.
436
437       semanage  module can also be used to enable/disable/install/remove pol‐
438       icy modules.
439
440       semanage boolean can also be used to manipulate the booleans
441
442
443       system-config-selinux is a GUI tool available to customize SELinux pol‐
444       icy settings.
445
446

AUTHOR

448       This manual page was auto-generated using sepolicy manpage .
449
450