1initrc_selinux(8) SELinux Policy initrc initrc_selinux(8)
2
6 initrc_selinux - Security Enhanced Linux Policy for the initrc pro‐
7 cesses
8
10 Security-Enhanced Linux secures the initrc processes via flexible
11 mandatory access control.
12 The initrc processes execute with the initrc_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep initrc_t
20
24 The initrc_t SELinux type can be entered via the fcoemon_initrc_exec_t,
25 nslcd_initrc_exec_t, sendmail_initrc_exec_t, vdagentd_initrc_exec_t,
26 watchdog_initrc_exec_t, l2tpd_initrc_exec_t, cyphesis_initrc_exec_t,
27 sssd_initrc_exec_t, varnishd_initrc_exec_t, mongod_initrc_exec_t,
28 dlm_controld_initrc_exec_t, spamd_initrc_exec_t, zebra_initrc_exec_t,
29 callweaver_initrc_exec_t, mcelog_initrc_exec_t, ctdbd_initrc_exec_t,
30 rngd_initrc_exec_t, varnishlog_initrc_exec_t, openct_initrc_exec_t, yp‐
31 bind_initrc_exec_t, certmaster_initrc_exec_t, portmap_initrc_exec_t,
32 openhpid_initrc_exec_t, kdump_initrc_exec_t, denyhosts_initrc_exec_t,
33 pkcs_slotd_initrc_exec_t, prelude_initrc_exec_t, fail2ban_ini‐
34 trc_exec_t, osad_initrc_exec_t, certmonger_initrc_exec_t, cvs_ini‐
35 trc_exec_t, rwho_initrc_exec_t, pcp_pmproxy_initrc_exec_t, blue‐
36 tooth_initrc_exec_t, wdmd_initrc_exec_t, tuned_initrc_exec_t,
37 dhcpc_helper_exec_t, snmpd_initrc_exec_t, slpd_initrc_exec_t, smsd_ini‐
38 trc_exec_t, httpd_initrc_exec_t, avahi_initrc_exec_t, abrt_ini‐
39 trc_exec_t, gpsd_initrc_exec_t, pcp_pmlogger_initrc_exec_t, clus‐
40 ter_initrc_exec_t, ftpd_initrc_exec_t, sshd_initrc_exec_t, sysstat_ini‐
41 trc_exec_t, couchdb_initrc_exec_t, postgresql_initrc_exec_t, cgcon‐
42 fig_initrc_exec_t, bacula_initrc_exec_t, innd_initrc_exec_t,
43 chronyd_initrc_exec_t, mdadm_initrc_exec_t, collectd_initrc_exec_t,
44 mpd_initrc_exec_t, syslogd_initrc_exec_t, entropyd_initrc_exec_t, jab‐
45 berd_initrc_exec_t, hddtemp_initrc_exec_t, uucpd_initrc_exec_t, na‐
46 gios_initrc_exec_t, glusterd_initrc_exec_t, pcscd_initrc_exec_t, ajax‐
47 term_initrc_exec_t, afs_initrc_exec_t, ulogd_initrc_exec_t, drbd_ini‐
48 trc_exec_t, pki_ra_script_exec_t, sblim_initrc_exec_t, condor_ini‐
49 trc_exec_t, rtkit_daemon_initrc_exec_t, mrtg_initrc_exec_t, clvmd_ini‐
50 trc_exec_t, pads_initrc_exec_t, radvd_initrc_exec_t, glance_reg‐
51 istry_initrc_exec_t, foghorn_initrc_exec_t, ccs_initrc_exec_t, hyper‐
52 vkvp_initrc_exec_t, blkmapd_initrc_exec_t, named_initrc_exec_t,
53 cfengine_initrc_exec_t, vhostmd_initrc_exec_t, isnsd_initrc_exec_t,
54 portreserve_initrc_exec_t, acct_initrc_exec_t, ipsec_initrc_exec_t,
55 iodined_initrc_exec_t, nfsd_initrc_exec_t, glance_scrubber_ini‐
56 trc_exec_t, sensord_initrc_exec_t, aiccu_initrc_exec_t, apcupsd_ini‐
57 trc_exec_t, bin_t, slapd_initrc_exec_t, initrc_exec_t, iwhd_ini‐
58 trc_exec_t, fetchmail_initrc_exec_t, dictd_initrc_exec_t,
59 pcp_plugin_initrc_exec_t, saslauthd_initrc_exec_t, arpwatch_ini‐
60 trc_exec_t, rpcbind_initrc_exec_t, keystone_initrc_exec_t, uuidd_ini‐
61 trc_exec_t, memcached_initrc_exec_t, shorewall_initrc_exec_t, ipta‐
62 bles_initrc_exec_t, dovecot_initrc_exec_t, setrans_initrc_exec_t,
63 munin_initrc_exec_t, pcp_pmie_initrc_exec_t, zabbix_initrc_exec_t, ksm‐
64 tuned_initrc_exec_t, postgrey_initrc_exec_t, psad_initrc_exec_t,
65 minissdpd_initrc_exec_t, lldpad_initrc_exec_t, pcp_pmcd_initrc_exec_t,
66 crond_initrc_exec_t, mscan_initrc_exec_t, kerberos_initrc_exec_t, san‐
67 lock_initrc_exec_t, qpidd_initrc_exec_t, dhcpd_initrc_exec_t, exim_ini‐
68 trc_exec_t, icecast_initrc_exec_t, firewalld_initrc_exec_t, zone‐
69 minder_initrc_exec_t, naemon_initrc_exec_t, cpuplug_initrc_exec_t,
70 lircd_initrc_exec_t, likewise_initrc_exec_t, pppd_initrc_exec_t,
71 cyrus_initrc_exec_t, kismet_initrc_exec_t, canna_initrc_exec_t,
72 rhnsd_initrc_exec_t, rabbitmq_initrc_exec_t, privoxy_initrc_exec_t,
73 ciped_initrc_exec_t, auditd_initrc_exec_t, minidlna_initrc_exec_t,
74 ricci_initrc_exec_t, samba_initrc_exec_t, svnserve_initrc_exec_t,
75 virtd_initrc_exec_t, gpm_initrc_exec_t, radiusd_initrc_exec_t,
76 boinc_initrc_exec_t, ddclient_initrc_exec_t, pki_tps_script_exec_t,
77 tor_initrc_exec_t, smokeping_initrc_exec_t, mysqld_initrc_exec_t, Net‐
78 workManager_initrc_exec_t, rpcd_initrc_exec_t, squid_initrc_exec_t,
79 gdomap_initrc_exec_t, roundup_initrc_exec_t, polipo_initrc_exec_t,
80 dspam_initrc_exec_t, asterisk_initrc_exec_t, pingd_initrc_exec_t,
81 mysqlmanagerd_initrc_exec_t, snort_initrc_exec_t, soundd_initrc_exec_t,
82 mon_statd_initrc_exec_t, postfix_initrc_exec_t, cmirrord_initrc_exec_t,
83 ntpd_initrc_exec_t, cgred_initrc_exec_t, conntrackd_initrc_exec_t, zab‐
84 bix_agent_initrc_exec_t, nis_initrc_exec_t, automount_initrc_exec_t,
85 tcsd_initrc_exec_t, usr_t, cupsd_initrc_exec_t, bitlbee_initrc_exec_t,
86 irqbalance_initrc_exec_t, antivirus_initrc_exec_t, glance_api_ini‐
87 trc_exec_t, oracleasm_initrc_exec_t, apmd_initrc_exec_t, puppeta‐
88 gent_initrc_exec_t, virtlogd_initrc_exec_t, puppetmaster_initrc_exec_t,
89 vnstatd_initrc_exec_t, redis_initrc_exec_t, neutron_initrc_exec_t, cob‐
90 blerd_initrc_exec_t, tgtd_initrc_exec_t, ntop_initrc_exec_t, dns‐
91 masq_initrc_exec_t, piranha_pulse_initrc_exec_t, openvpn_initrc_exec_t,
92 sslh_initrc_exec_t, nscd_initrc_exec_t, amtu_initrc_exec_t, bcfg2_ini‐
93 trc_exec_t, rhsmcertd_initrc_exec_t, fsdaemon_initrc_exec_t,
94 shell_exec_t file types.
95 The default entrypoint paths for the initrc_t domain are the following:
97 All executables with the default executable label, usually stored in
99 /usr/bin and /usr/sbin. /etc/rc.d/init.d/fcoe, /etc/rc.d/init.d/nslcd,
100 /etc/rc.d/init.d/sendmail, /etc/rc.d/init.d/spice-vdagentd,
101 /etc/rc.d/init.d/watchdog, /etc/rc.d/init.d/.*l2tpd,
102 /etc/rc.d/init.d/cyphesis, /etc/rc.d/init.d/sssd, /etc/rc.d/init.d/var‐
103 nish, /etc/rc.d/init.d/mongod, /etc/rc.d/init.d/mongos,
104 /etc/rc.d/init.d/mimedefang.*, /etc/rc.d/init.d/spamd,
105 /etc/rc.d/init.d/pyzord, /etc/rc.d/init.d/spampd,
106 /etc/rc.d/init.d/bgpd, /etc/rc.d/init.d/ripd, /etc/rc.d/init.d/isisd,
107 /etc/rc.d/init.d/ospfd, /etc/rc.d/init.d/zebra, /etc/rc.d/init.d/ba‐
108 beld, /etc/rc.d/init.d/ospf6d, /etc/rc.d/init.d/ripngd,
109 /etc/rc.d/init.d/callweaver, /etc/rc.d/init.d/mcelog,
110 /etc/rc.d/init.d/ctdb, /etc/rc.d/init.d/rngd, /etc/rc.d/init.d/var‐
111 nishlog, /etc/rc.d/init.d/varnishncsa, /etc/rc.d/init.d/openct,
112 /etc/rc.d/init.d/ypbind, /etc/rc.d/init.d/certmaster,
113 /etc/rc.d/init.d/portmap, /etc/rc.d/init.d/openhpid,
114 /etc/rc.d/init.d/kdump, /etc/rc.d/init.d/denyhosts,
115 /etc/rc.d/init.d/pkcsslotd, /etc/rc.d/init.d/prelude-lml,
116 /etc/rc.d/init.d/prelude-manager, /etc/rc.d/init.d/prelude-correlator,
117 /etc/rc.d/init.d/fail2ban, /etc/rc.d/init.d/osad,
118 /etc/rc.d/init.d/certmonger, /etc/rc.d/init.d/cvs,
119 /etc/rc.d/init.d/rwhod, /etc/rc.d/init.d/pmproxy,
120 /usr/libexec/pcp/lib/pmproxy, /etc/rc.d/init.d/dund,
121 /etc/rc.d/init.d/pand, /etc/rc.d/init.d/bluetooth,
122 /etc/rc.d/init.d/wdmd, /etc/rc.d/init.d/tuned,
123 /etc/firestarter/firestarter.sh, /etc/rc.d/init.d/(snmpd|snmptrapd),
124 /etc/rc.d/init.d/slpd, /etc/rc.d/init.d/smsd, /etc/init.d/cherokee,
125 /etc/rc.d/init.d/httpd, /etc/rc.d/init.d/lighttpd,
126 /etc/rc.d/init.d/avahi.*, /etc/rc.d/init.d/abrt, /etc/rc.d/init.d/gpsd,
127 /etc/rc.d/init.d/pmlogger, /usr/libexec/pcp/lib/pmlogger,
128 /etc/rc.d/init.d/openais, /etc/rc.d/init.d/corosync,
129 /etc/rc.d/init.d/cpglockd, /etc/rc.d/init.d/heartbeat,
130 /etc/rc.d/init.d/pacemaker, /etc/rc.d/init.d/rgmanager,
131 /etc/rc.d/init.d/vsftpd, /etc/rc.d/init.d/proftpd,
132 /etc/rc.d/init.d/sshd, /etc/rc.d/init.d/sysstat,
133 /etc/rc.d/init.d/couchdb, /etc/rc.d/init.d/(se)?postgresql,
134 /etc/rc.d/init.d/cgconfig, /etc/rc.d/init.d/bacula.*,
135 /etc/rc.d/init.d/innd, /etc/rc.d/init.d/chronyd, /etc/rc.d/init.d/md‐
136 monitor, /etc/rc.d/init.d/collectd, /etc/rc.d/init.d/mpd,
137 /etc/rc.d/init.d/rsyslog, /etc/rc.d/init.d/((audio-en‐
138 tropyd)|(haveged)), /etc/rc.d/init.d/jabberd, /etc/rc.d/init.d/hddtemp,
139 /etc/rc.d/init.d/uucp, /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios,
140 /etc/rc.d/init.d/gluster.*, /usr/sbin/glusterd, /etc/rc.d/init.d/pcscd,
141 /etc/rc.d/init.d/ajaxterm, /etc/rc.d/init.d/(open)?afs,
142 /etc/rc.d/init.d/openafs-client, /etc/rc.d/init.d/ulogd,
143 /etc/rc.d/init.d/drbd, /etc/rc.d/init.d/gatherer,
144 /etc/rc.d/init.d/sblim-sfcbd, /etc/rc.d/init.d/condor,
145 /etc/rc.d/init.d/rtkit-daemon, /etc/rc.d/init.d/mrtg,
146 /etc/rc.d/init.d/pads, /etc/rc.d/init.d/radvd, /etc/rc.d/init.d/open‐
147 stack-glance-registry, /etc/rc.d/init.d/((ccs)|(ccsd)),
148 /etc/rc.d/init.d/hypervkvpd, /etc/rc.d/init.d/blkmapd,
149 /etc/rc.d/init.d/named, /etc/rc.d/init.d/unbound,
150 /etc/rc.d/init.d/named-sdb, /etc/rc.d/init.d/((cf-serverd)|(cf-moni‐
151 tord)|(cf-execd)), /etc/rc.d/init.d/vhostmd, /etc/rc.d/init.d/isnsd,
152 /etc/rc.d/init.d/portreserve, /etc/rc.d/init.d/psacct,
153 /etc/rc.d/init.d/ipsec, /etc/rc.d/init.d/racoon,
154 /etc/rc.d/init.d/strongswan, /etc/rc.d/init.d/((iodined)|(iodine-
155 server)), /etc/rc.d/init.d/nfs, /etc/rc.d/init.d/openstack-glance-
156 scrubber, /etc/rc.d/init.d/sensord, /etc/rc.d/init.d/aiccu,
157 /etc/rc.d/init.d/apcupsd, /etc/rc.d/init.d/slapd, /etc/init.d/.*,
158 /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*, /opt/nfast/sbin/init.d-nci‐
159 pher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*,
160 /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*),
161 /etc/rc.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl,
162 /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-
163 dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-
164 config-services/system-config-services-mechanism.py,
165 /etc/rc.d/init.d/iwhd, /etc/rc.d/init.d/fetchmail,
166 /etc/rc.d/init.d/dictd, /etc/rc.d/init.d/sasl, /etc/rc.d/init.d/arp‐
167 watch, /etc/rc.d/init.d/rpcbind, /etc/rc.d/init.d/openstack-keystone,
168 /etc/rc.d/init.d/uuidd, /etc/rc.d/init.d/memcached,
169 /etc/rc.d/init.d/shorewall.*, /etc/rc.d/init.d/ip6?tables,
170 /etc/rc.d/init.d/ebtables, /etc/rc.d/init.d/nftables,
171 /etc/rc.d/init.d/dovecot, /etc/rc.d/init.d/mcstrans,
172 /etc/rc.d/init.d/munin-node, /etc/rc.d/init.d/pmie,
173 /usr/libexec/pcp/lib/pmie, /etc/rc.d/init.d/(zabbix|zabbix-server),
174 /etc/rc.d/init.d/ksmtuned, /etc/rc.d/init.d/postgrey,
175 /etc/rc.d/init.d/psad, /etc/rc.d/init.d/minissdpd,
176 /etc/rc.d/init.d/lldpad, /etc/rc.d/init.d/pmcd,
177 /usr/libexec/pcp/lib/pmcd, /etc/rc.d/init.d/atd,
178 /etc/rc.d/init.d/MailScanner, /etc/rc.d/init.d/kprop,
179 /etc/rc.d/init.d/kadmind, /etc/rc.d/init.d/krb524d,
180 /etc/rc.d/init.d/krb5kdc, /etc/rc.d/init.d/sanlock,
181 /etc/rc.d/init.d/qpidd, /etc/rc.d/init.d/dhcpd(6)?,
182 /etc/rc.d/init.d/dhcrelay(6)?, /etc/rc.d/init.d/exim,
183 /etc/rc.d/init.d/icecast, /etc/rc.d/init.d/firewalld,
184 /etc/rc.d/init.d/zoneminder, /etc/rc.d/init.d/naemon,
185 /etc/rc.d/init.d/cpuplugd, /etc/rc.d/init.d/lirc,
186 /etc/rc.d/init.d/lwiod, /etc/rc.d/init.d/lwsmd,
187 /etc/rc.d/init.d/lsassd, /etc/rc.d/init.d/lwregd,
188 /etc/rc.d/init.d/dcerpcd, /etc/rc.d/init.d/srvsvcd,
189 /etc/rc.d/init.d/likewise, /etc/rc.d/init.d/eventlogd,
190 /etc/rc.d/init.d/netlogond, /etc/ppp/(auth|ip(v6|x)?)-(up|down),
191 /etc/rc.d/init.d/ppp, /etc/rc.d/init.d/cyrus.*,
192 /etc/rc.d/init.d/kismet.*, /etc/rc.d/init.d/canna,
193 /etc/rc.d/init.d/rhnsd, /etc/rc.d/init.d/rabbitmq-server,
194 /etc/rc.d/init.d/privoxy, /etc/rc.d/init.d/ciped.*,
195 /etc/rc.d/init.d/auditd, /etc/rc.d/init.d/minidlna,
196 /etc/rc.d/init.d/ricci, /etc/rc.d/init.d/nmb, /etc/rc.d/init.d/smb,
197 /etc/rc.d/init.d/winbind, /etc/rc.d/init.d/svnserve,
198 /etc/rc.d/init.d/libvirtd, /etc/rc.d/init.d/gpm, /etc/rc.d/init.d/ra‐
199 diusd, /etc/rc.d/init.d/boinc-client, /etc/rc.d/init.d/ddclient,
200 /etc/rc.d/init.d/tor, /etc/rc.d/init.d/smokeping,
201 /etc/rc.d/init.d/mysqld, /etc/rc.d/init.d/wicd, /etc/rc.d/init.d/nfs‐
202 lock, /etc/rc.d/init.d/rpcidmapd, /etc/rc.d/init.d/squid,
203 /etc/rc.d/init.d/gdomap, /etc/rc.d/init.d/roundup,
204 /etc/rc.d/init.d/polipo, /etc/rc.d/init.d/dspam, /etc/rc.d/init.d/as‐
205 terisk, /etc/rc.d/init.d/whatsup-pingd, /etc/rc.d/init.d/mysqlmanager,
206 /etc/rc.d/init.d/snortd, /etc/rc.d/init.d/nasd,
207 /etc/rc.d/init.d/mon_statd, /etc/rc.d/init.d/postfix,
208 /etc/rc.d/init.d/cmirrord, /etc/rc.d/init.d/ntpd,
209 /etc/rc.d/init.d/cgred, /etc/rc.d/init.d/zabbix-agentd,
210 /etc/rc.d/init.d/ypserv, /etc/rc.d/init.d/ypxfrd, /etc/rc.d/init.d/yp‐
211 passwd, /etc/rc.d/init.d/autofs, /etc/rc.d/init.d/(tcsd|trousers),
212 /opt/.*, /usr/.*, /emul/.*, /export(/.*)?, /ostree(/.*)?,
213 /usr/doc(/.*)?/lib(/.*)?, /usr/inclu.e(/.*)?, /usr/share/rpm(/.*)?,
214 /usr/share/doc(/.*)?/README.*, /usr/lib/modules(/.*)/vmlinuz,
215 /usr/lib/modules(/.*)/initramfs.img, /usr/lib/sysimage(/.*)?,
216 /usr/lib/ostree-boot(/.*)?, /opt, /usr, /emul, /etc/rc.d/init.d/cups,
217 /etc/rc.d/init.d/bitlbee, /etc/rc.d/init.d/irqbalance,
218 /etc/rc.d/init.d/clamd.*, /etc/rc.d/init.d/amavis,
219 /etc/rc.d/init.d/amavisd-snmp, /etc/rc.d/init.d/openstack-glance-api,
220 /etc/rc.d/init.d/oracleasm, /etc/rc.d/init.d/acpid,
221 /etc/rc.d/init.d/puppet, /etc/rc.d/init.d/virtlogd,
222 /etc/rc.d/init.d/puppetmaster, /etc/rc.d/init.d/vnstat,
223 /etc/rc.d/init.d/redis, /etc/rc.d/init.d/neutron.*,
224 /etc/rc.d/init.d/quantum.*, /etc/rc.d/init.d/cobblerd,
225 /etc/rc.d/init.d/tgtd, /etc/rc.d/init.d/ntop, /etc/rc.d/init.d/dnsmasq,
226 /etc/rc.d/init.d/pulse, /etc/rc.d/init.d/openvpn,
227 /etc/rc.d/init.d/sslh, /etc/rc.d/init.d/nscd, /etc/rc.d/init.d/amtu,
228 /etc/rc.d/init.d/bcfg2-server, /etc/rc.d/init.d/rhsmcertd,
229 /etc/rc.d/init.d/(smartd|smartmontools), /bin/d?ash, /bin/ksh.*,
230 /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh,
231 /bin/bash, /bin/fish, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
232 /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash, /usr/bin/fish,
233 /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash,
234 /usr/bin/bash2, /usr/sbin/sesh, /usr/sbin/smrsh, /usr/bin/scponly,
235 /usr/libexec/sesh, /usr/sbin/nologin, /usr/bin/git-shell,
236 /usr/sbin/scponlyc, /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,
237 /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell
238
240 SELinux defines process types (domains) for each process running on the
241 system
242 You can see the context of a process using the -Z option to ps
244 Policy governs the access confined processes have to files. SELinux
246 initrc policy is very flexible allowing users to setup their initrc
247 processes in as secure a method as possible.
248 The following process types are defined for initrc:
250 initrc_t
252 Note: semanage permissive -a initrc_t can be used to make the process
254 type initrc_t permissive. SELinux does not deny access to permissive
255 process types, but the AVC (SELinux denials) messages are still gener‐
256 ated.
257
260 SELinux policy is customizable based on least access required. initrc
261 policy is extremely flexible and has several booleans that allow you to
262 manipulate the policy and run initrc with the tightest access possible.
263 If you want to deny user domains applications to map a memory region as
267 both executable and writable, this is dangerous and the executable
268 should be reported in bugzilla, you must turn on the deny_execmem bool‐
269 ean. Enabled by default.
270 setsebool -P deny_execmem 1
272 If you want to control the ability to mmap a low area of the address
276 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
277 the mmap_low_allowed boolean. Disabled by default.
278 setsebool -P mmap_low_allowed 1
280 If you want to disable kernel module loading, you must turn on the se‐
284 cure_mode_insmod boolean. Enabled by default.
285 setsebool -P secure_mode_insmod 1
287 If you want to allow unconfined executables to make their heap memory
291 executable. Doing this is a really bad idea. Probably indicates a
292 badly coded executable, but could indicate an attack. This executable
293 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
294 echeap boolean. Disabled by default.
295 setsebool -P selinuxuser_execheap 1
297 If you want to allow unconfined executables to make their stack exe‐
301 cutable. This should never, ever be necessary. Probably indicates a
302 badly coded executable, but could indicate an attack. This executable
303 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
304 stack boolean. Enabled by default.
305 setsebool -P selinuxuser_execstack 1
307
311 The SELinux process type initrc_t can manage files labeled with the
312 following file types. The paths listed are the default paths for these
313 file types. Note the processes UID still need to have DAC permissions.
314 file_type
316 all files on the system
318
321 SELinux requires files to have an extended attribute to define the file
322 type.
323 You can see the context of a file using the -Z option to ls
325 Policy governs the access confined processes have to these files.
327 SELinux initrc policy is very flexible allowing users to setup their
328 initrc processes in as secure a method as possible.
329 STANDARD FILE CONTEXT
331 SELinux defines the file context types for the initrc, if you wanted to
333 store files with these types in a diffent paths, you need to execute
334 the semanage command to specify alternate labeling and then use re‐
335 storecon to put the labels on disk.
336 semanage fcontext -a -t initrc_var_run_t '/srv/myinitrc_content(/.*)?'
338 restorecon -R -v /srv/myinitrc_content
339 Note: SELinux often uses regular expressions to specify labels that
341 match multiple files.
342 The following file types are defined for initrc:
344 initrc_devpts_t
348 - Set files with the initrc_devpts_t type, if you want to treat the
350 files as initrc devpts data.
351 initrc_exec_t
355 - Set files with the initrc_exec_t type, if you want to transition an
357 executable to the initrc_t domain.
358 Paths:
361 /etc/init.d/.*, /etc/rc.d/rc.[^/]+, /etc/rc.d/init.d/.*,
362 /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*,
363 /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*,
364 /opt/nfast/scripts/init.d/(.*), /etc/rc.d/rc, /etc/X11/prefdm,
365 /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/start-dirsrv,
366 /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/syscon‐
367 fig/network-scripts/ifup-ipsec, /usr/share/system-config-ser‐
368 vices/system-config-services-mechanism.py
369 initrc_state_t
372 - Set files with the initrc_state_t type, if you want to treat the
374 files as initrc state data.
375 initrc_tmp_t
379 - Set files with the initrc_tmp_t type, if you want to store initrc
381 temporary files in the /tmp directories.
382 initrc_var_log_t
386 - Set files with the initrc_var_log_t type, if you want to treat the
388 data as initrc var log data, usually stored under the /var/log direc‐
389 tory.
390 initrc_var_run_t
394 - Set files with the initrc_var_run_t type, if you want to store the
396 initrc files under the /run or /var/run directory.
397 Paths:
400 /var/run/utmp, /var/run/random-seed, /var/run/runlevel.dir,
401 /var/run/setmixer_flag
402 Note: File context can be temporarily modified with the chcon command.
405 If you want to permanently change the file context you need to use the
406 semanage fcontext command. This will modify the SELinux labeling data‐
407 base. You will need to use restorecon to apply the labels.
408
411 semanage fcontext can also be used to manipulate default file context
412 mappings.
413 semanage permissive can also be used to manipulate whether or not a
415 process type is permissive.
416 semanage module can also be used to enable/disable/install/remove pol‐
418 icy modules.
419 semanage boolean can also be used to manipulate the booleans
421 system-config-selinux is a GUI tool available to customize SELinux pol‐
424 icy settings.
425
428 This manual page was auto-generated using sepolicy manpage .
429
432 selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepol‐
433 icy(8), setsebool(8)
434initrc 23-02-03 initrc_selinux(8)