1init_selinux(8)               SELinux Policy init              init_selinux(8)
2
3
4

NAME

6       init_selinux - Security Enhanced Linux Policy for the init processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the init processes via flexible manda‐
10       tory access control.
11
12       The init processes execute with the init_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep init_t
19
20
21

ENTRYPOINTS

23       The  init_t  SELinux  type  can  be  entered   via   the   init_exec_t,
24       shell_exec_t file types.
25
26       The default entrypoint paths for the init_t domain are the following:
27
28       /sbin/init(ng)?,      /usr/sbin/init(ng)?,      /usr/lib/systemd/[^/]*,
29       /usr/lib/systemd/system-generators/[^/]*, /bin/systemd,  /sbin/upstart,
30       /usr/bin/systemd,     /usr/sbin/upstart,     /bin/d?ash,    /bin/ksh.*,
31       /bin/zsh.*, /usr/bin/d?ash, /usr/bin/ksh.*,  /usr/bin/zsh.*,  /bin/esh,
32       /bin/bash,   /bin/fish,  /bin/mksh,  /bin/sash,  /bin/tcsh,  /bin/yash,
33       /bin/bash2, /usr/bin/esh, /sbin/nologin, /usr/bin/bash,  /usr/bin/fish,
34       /usr/bin/mksh,     /usr/bin/sash,     /usr/bin/tcsh,     /usr/bin/yash,
35       /usr/bin/bash2,  /usr/sbin/sesh,   /usr/sbin/smrsh,   /usr/bin/scponly,
36       /usr/libexec/sesh,        /usr/sbin/nologin,        /usr/bin/git-shell,
37       /usr/sbin/scponlyc,  /usr/libexec/sudo/sesh,   /usr/bin/cockpit-bridge,
38       /usr/libexec/cockpit-agent, /usr/libexec/git-core/git-shell
39

PROCESS TYPES

41       SELinux defines process types (domains) for each process running on the
42       system
43
44       You can see the context of a process using the -Z option to ps
45
46       Policy governs the access confined processes have  to  files.   SELinux
47       init  policy  is  very flexible allowing users to setup their init pro‐
48       cesses in as secure a method as possible.
49
50       The following process types are defined for init:
51
52       init_t, initrc_t
53
54       Note: semanage permissive -a init_t can be used  to  make  the  process
55       type  init_t  permissive.  SELinux  does  not deny access to permissive
56       process types, but the AVC (SELinux denials) messages are still  gener‐
57       ated.
58
59

BOOLEANS

61       SELinux  policy  is  customizable based on least access required.  init
62       policy is extremely flexible and has several booleans that allow you to
63       manipulate the policy and run init with the tightest access possible.
64
65
66
67       If  you  want  to allow init audit_control capability, you must turn on
68       the init_audit_control boolean. Enabled by default.
69
70       setsebool -P init_audit_control 1
71
72
73
74       If you want to  enable  init  create,  setattr,  mounton  on  non_secu‐
75       rity_file_type,  you must turn on the init_create_dirs boolean. Enabled
76       by default.
77
78       setsebool -P init_create_dirs 1
79
80
81
82       If you want to deny all system processes and Linux users to  use  blue‐
83       tooth wireless technology, you must turn on the deny_bluetooth boolean.
84       Disabled by default.
85
86       setsebool -P deny_bluetooth 1
87
88
89
90       If you want to allow all domains to execute in fips_mode, you must turn
91       on the fips_mode boolean. Enabled by default.
92
93       setsebool -P fips_mode 1
94
95
96
97       If  you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
98       you must turn on the nagios_run_sudo boolean. Disabled by default.
99
100       setsebool -P nagios_run_sudo 1
101
102
103
104       If you want to allow system to run with  NIS,  you  must  turn  on  the
105       nis_enabled boolean. Disabled by default.
106
107       setsebool -P nis_enabled 1
108
109
110
111       If  you want to disable kernel module loading, you must turn on the se‐
112       cure_mode_insmod boolean. Disabled by default.
113
114       setsebool -P secure_mode_insmod 1
115
116
117

MANAGED FILES

119       The SELinux process type init_t can manage files labeled with the  fol‐
120       lowing  file  types.   The paths listed are the default paths for these
121       file types.  Note the processes UID still need to have DAC permissions.
122
123       auditd_etc_t
124
125            /etc/audit(/.*)?
126
127       binfmt_misc_fs_t
128
129
130       boolean_type
131
132
133       bpf_t
134
135            /sys/fs/bpf
136
137       consolekit_log_t
138
139            /var/log/ConsoleKit(/.*)?
140
141       etc_aliases_t
142
143            /etc/mail/.*.db
144            /etc/mail/aliases.*
145            /etc/postfix/aliases.*
146            /etc/aliases
147            /etc/aliases.db
148
149       faillog_t
150
151            /var/log/btmp.*
152            /var/log/faillog.*
153            /var/log/tallylog.*
154            /var/run/faillock(/.*)?
155
156       gnome_home_type
157
158
159       init_tmp_t
160
161
162       init_var_lib_t
163
164            /var/lib/systemd(/.*)?
165            /var/lib/private/systemd(/.*)?
166
167       initrc_state_t
168
169
170       krb5_host_rcache_t
171
172            /var/tmp/krb5_0.rcache2
173            /var/cache/krb5rcache(/.*)?
174            /var/tmp/nfs_0
175            /var/tmp/DNS_25
176            /var/tmp/host_0
177            /var/tmp/imap_0
178            /var/tmp/HTTP_23
179            /var/tmp/HTTP_48
180            /var/tmp/ldap_55
181            /var/tmp/ldap_487
182            /var/tmp/ldapmap1_0
183
184       krb5_keytab_t
185
186            /var/kerberos/krb5(/.*)?
187            /etc/krb5.keytab
188            /etc/krb5kdc/kadm5.keytab
189            /var/kerberos/krb5kdc/kadm5.keytab
190
191       lastlog_t
192
193            /var/log/lastlog.*
194
195       lockfile
196
197
198       mnt_t
199
200            /mnt(/[^/]*)?
201            /mnt(/[^/]*)?
202            /rhev(/[^/]*)?
203            /rhev/[^/]*/.*
204            /media(/[^/]*)?
205            /media(/[^/]*)?
206            /media/.hal-.*
207            /var/run/media(/[^/]*)?
208            /afs
209            /net
210            /misc
211            /rhev
212
213       print_spool_t
214
215            /var/spool/lpd(/.*)?
216            /var/spool/cups(/.*)?
217            /var/spool/cups-pdf(/.*)?
218
219       random_seed_t
220
221            /var/lib/random-seed
222            /usr/var/lib/random-seed
223
224       svirt_file_type
225
226
227       sysctl_type
228
229
230       sysfs_t
231
232            /sys(/.*)?
233
234       systemd_home_t
235
236            /root/.local/share/systemd(/.*)?
237            /home/[^/]+/.local/share/systemd(/.*)?
238
239       systemd_unit_file_type
240
241
242       tmpfs_t
243
244            /dev/shm
245            /var/run/shm
246            /usr/lib/udev/devices/shm
247
248       udev_rules_t
249
250            /etc/udev/rules.d(/.*)?
251
252       var_lib_nfs_t
253
254            /var/lib/nfs(/.*)?
255
256       var_lib_t
257
258            /opt/(.*/)?var/lib(/.*)?
259            /var/lib(/.*)?
260
261       var_log_t
262
263            /var/log/.*
264            /nsr/logs(/.*)?
265            /var/webmin(/.*)?
266            /var/log/secure[^/]*
267            /opt/zimbra/log(/.*)?
268            /var/log/maillog[^/]*
269            /var/log/spooler[^/]*
270            /var/log/messages[^/]*
271            /usr/centreon/log(/.*)?
272            /var/spool/rsyslog(/.*)?
273            /var/axfrdns/log/main(/.*)?
274            /var/spool/bacula/log(/.*)?
275            /var/tinydns/log/main(/.*)?
276            /var/dnscache/log/main(/.*)?
277            /var/stockmaniac/templates_cache(/.*)?
278            /opt/Symantec/scspagent/IDS/system(/.*)?
279            /var/log
280            /var/log/dmesg
281            /var/log/syslog
282            /var/named/chroot/var/log
283
284       wtmp_t
285
286            /var/log/wtmp.*
287
288

FILE CONTEXTS

290       SELinux requires files to have an extended attribute to define the file
291       type.
292
293       You can see the context of a file using the -Z option to ls
294
295       Policy  governs  the  access  confined  processes  have to these files.
296       SELinux init policy is very flexible allowing users to setup their init
297       processes in as secure a method as possible.
298
299       EQUIVALENCE DIRECTORIES
300
301
302       init  policy stores data with multiple different file context types un‐
303       der the /var/run/systemd directory.  If you would  like  to  store  the
304       data  in a different directory you can use the semanage command to cre‐
305       ate an equivalence mapping.  If you wanted to store this data under the
306       /srv directory you would execute the following command:
307
308       semanage fcontext -a -e /var/run/systemd /srv/systemd
309       restorecon -R -v /srv/systemd
310
311       STANDARD FILE CONTEXT
312
313       SELinux  defines  the file context types for the init, if you wanted to
314       store files with these types in a different paths, you need to  execute
315       the  semanage  command  to  specify alternate labeling and then use re‐
316       storecon to put the labels on disk.
317
318       semanage fcontext -a -t init_exec_t '/srv/init/content(/.*)?'
319       restorecon -R -v /srv/myinit_content
320
321       Note: SELinux often uses regular expressions  to  specify  labels  that
322       match multiple files.
323
324       The following file types are defined for init:
325
326
327
328       init_exec_t
329
330       - Set files with the init_exec_t type, if you want to transition an ex‐
331       ecutable to the init_t domain.
332
333
334       Paths:
335            /sbin/init(ng)?,   /usr/sbin/init(ng)?,    /usr/lib/systemd/[^/]*,
336            /usr/lib/systemd/system-generators/[^/]*,  /bin/systemd, /sbin/up‐
337            start, /usr/bin/systemd, /usr/sbin/upstart
338
339
340       init_tmp_t
341
342       - Set files with the init_tmp_t type, if you want to store init  tempo‐
343       rary files in the /tmp directories.
344
345
346
347       init_var_lib_t
348
349       - Set files with the init_var_lib_t type, if you want to store the init
350       files under the /var/lib directory.
351
352
353       Paths:
354            /var/lib/systemd(/.*)?, /var/lib/private/systemd(/.*)?
355
356
357       init_var_run_t
358
359       - Set files with the init_var_run_t type, if you want to store the init
360       files under the /run or /var/run directory.
361
362
363
364       initctl_t
365
366       -  Set files with the initctl_t type, if you want to treat the files as
367       initctl data.
368
369
370       Paths:
371            /dev/initctl, /var/run/initctl, /var/run/systemd/initctl/fifo
372
373
374       initrc_devpts_t
375
376       - Set files with the initrc_devpts_t type, if you  want  to  treat  the
377       files as initrc devpts data.
378
379
380
381       initrc_exec_t
382
383       -  Set  files with the initrc_exec_t type, if you want to transition an
384       executable to the initrc_t domain.
385
386
387       Paths:
388            /etc/init.d/.*,      /etc/rc.d/rc.[^/]+,      /etc/rc.d/init.d/.*,
389            /opt/nfast/sbin/init.d-ncipher,          /usr/libexec/dcc/stop-.*,
390            /usr/libexec/dcc/start-.*,           /usr/lib/systemd/fedora[^/]*,
391            /opt/nfast/scripts/init.d/(.*),   /etc/rc.d/rc,   /etc/X11/prefdm,
392            /usr/sbin/startx,    /usr/bin/sepg_ctl,    /usr/sbin/start-dirsrv,
393            /usr/sbin/open_init_pty,   /usr/sbin/restart-dirsrv,  /etc/syscon‐
394            fig/network-scripts/ifup-ipsec,      /usr/share/system-config-ser‐
395            vices/system-config-services-mechanism.py
396
397
398       initrc_state_t
399
400       -  Set  files  with  the  initrc_state_t type, if you want to treat the
401       files as initrc state data.
402
403
404
405       initrc_tmp_t
406
407       - Set files with the initrc_tmp_t type, if you  want  to  store  initrc
408       temporary files in the /tmp directories.
409
410
411
412       initrc_var_log_t
413
414       -  Set  files  with the initrc_var_log_t type, if you want to treat the
415       data as initrc var log data, usually stored under the  /var/log  direc‐
416       tory.
417
418
419
420       initrc_var_run_t
421
422       -  Set  files  with the initrc_var_run_t type, if you want to store the
423       initrc files under the /run or /var/run directory.
424
425
426       Paths:
427            /var/run/utmp,    /var/run/random-seed,     /var/run/runlevel.dir,
428            /var/run/setmixer_flag
429
430
431       Note:  File context can be temporarily modified with the chcon command.
432       If you want to permanently change the file context you need to use  the
433       semanage fcontext command.  This will modify the SELinux labeling data‐
434       base.  You will need to use restorecon to apply the labels.
435
436

COMMANDS

438       semanage fcontext can also be used to manipulate default  file  context
439       mappings.
440
441       semanage  permissive  can  also  be used to manipulate whether or not a
442       process type is permissive.
443
444       semanage module can also be used to enable/disable/install/remove  pol‐
445       icy modules.
446
447       semanage boolean can also be used to manipulate the booleans
448
449
450       system-config-selinux is a GUI tool available to customize SELinux pol‐
451       icy settings.
452
453

AUTHOR

455       This manual page was auto-generated using sepolicy manpage .
456
457

SEE ALSO

459       selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
460       setsebool(8)
461
462
463
464init                               23-10-20                    init_selinux(8)
Impressum