xguest_selinux(8)

1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u - Least priviledged X user - Security Enhanced Linux Policy
7
8

DESCRIPTION

10       xguest_u  is  an  SELinux  User  defined in the SELinux policy. SELinux
11       users have default roles, xguest_r.  The default  role  has  a  default
12       type, xguest_t, associated with it.
13
14       The  SELinux  user  will  usually login to a system with a context that
15       looks like:
16
17       xguest_u:xguest_r:xguest_t:s0
18
19       Linux users are automatically  assigned  an  SELinux  users  at  login.
20       Login  programs  use  the SELinux User to assign initial context to the
21       user's shell.
22
23       SELinux policy uses the context to control the user's access.
24
25       By default  all  users  are  assigned  to  the  SELinux  user  via  the
26       __default__ flag
27
28       On  Targeted  policy  systems  the  __default__ user is assigned to the
29       unconfined_u SELinux user.
30
31       You can list all Linux User to SELinux user mapping using:
32
33       semanage login -l
34
35       If you wanted to change the default user mapping to  use  the  xguest_u
36       user, you would execute:
37
38       semanage login -m -s xguest_u __default__
39
40
41

USER DESCRIPTION

43       The  SELinux user xguest_u is defined in policy as a unprivileged user.
44       SELinux prevents unprivileged users  from  doing  administration  tasks
45       without transitioning to a different role.
46
47

SUDO

X WINDOWS LOGIN

50       The SELinux user xguest_u is able to X Windows login.
51
52

NETWORK

54       The SELinux user xguest_u is able to listen on the following tcp ports.
55
56              all ports with out defined types
57
58              all ports > 500 and < 1024
59
60
61       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
62       ports.
63
64              389,636,3268
65
66              53
67
68              631,8610-8614
69
70              8081
71
72              all ports with out defined types
73
74              21,990
75
76              all ports < 1024
77
78              8036
79
80              3128,8080,8118,8123,10001-10010
81
82              80,81,443,488,8008,8009,8443,9000
83
84              9080
85
86              88,750
87
88              4713
89
90              843,1935
91
92              5222,5223
93
94              8000,9433,16001
95
96              111
97
98
99       The SELinux user xguest_u is able to listen on the following udp ports.
100
101              all ports with out defined types
102
103              all ports > 500 and < 1024
104
105
106       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
107       ports.
108
109              389,636,3268
110
111              53
112
113              631,8610-8614
114
115              8081
116
117              all ports with out defined types
118
119              21,990
120
121              all ports < 1024
122
123              8036
124
125              3128,8080,8118,8123,10001-10010
126
127              80,81,443,488,8008,8009,8443,9000
128
129              9080
130
131              88,750
132
133              4713
134
135              843,1935
136
137              5222,5223
138
139              8000,9433,16001
140
141              111
142
143

BOOLEANS

145       SELinux  policy is customizable based on least access required.  xguest
146       policy is extremely flexible and has several booleans that allow you to
147       manipulate the policy and run xguest with the tightest access possible.
148
149
150
151       If you want to allow xguest to configure Network Manager and connect to
152       apache ports, you must  turn  on  the  xguest_connect_network  boolean.
153       Enabled by default.
154
155       setsebool -P xguest_connect_network 1
156
157
158
159       If  you  want  to allow xguest users to mount removable media, you must
160       turn on the xguest_mount_media boolean. Enabled by default.
161
162       setsebool -P xguest_mount_media 1
163
164
165
166       If you want to allow xguest to use blue tooth devices, you must turn on
167       the xguest_use_bluetooth boolean. Enabled by default.
168
169       setsebool -P xguest_use_bluetooth 1
170
171
172
173       If  you  want to allow direct login to the console device. Required for
174       System 390, you must turn on the allow_console_login  boolean.  Enabled
175       by default.
176
177       setsebool -P allow_console_login 1
178
179
180
181       If you want to allow all domains to use other domains file descriptors,
182       you must turn on the allow_domain_fd_use boolean. Enabled by default.
183
184       setsebool -P allow_domain_fd_use 1
185
186
187
188       If you want to allow unconfined executables to map a memory  region  as
189       both  executable  and  writable,  this  is dangerous and the executable
190       should be reported in bugzilla), you must  turn  on  the  allow_execmem
191       boolean. Enabled by default.
192
193       setsebool -P allow_execmem 1
194
195
196
197       If  you  want  to allow unconfined executables to make their stack exe‐
198       cutable.  This should never, ever be necessary.  Probably  indicates  a
199       badly  coded  executable, but could indicate an attack. This executable
200       should be reported in bugzilla), you must turn on  the  allow_execstack
201       boolean. Enabled by default.
202
203       setsebool -P allow_execstack 1
204
205
206
207       If  you  want  to allow confined applications to run with kerberos, you
208       must turn on the allow_kerberos boolean. Enabled by default.
209
210       setsebool -P allow_kerberos 1
211
212
213
214       If you want to allow sysadm to debug or ptrace all processes, you  must
215       turn on the allow_ptrace boolean. Disabled by default.
216
217       setsebool -P allow_ptrace 1
218
219
220
221       If  you  want  to allows clients to write to the X server shared memory
222       segments, you must turn on the allow_write_xshm  boolean.  Disabled  by
223       default.
224
225       setsebool -P allow_write_xshm 1
226
227
228
229       If  you  want  to  allow  system  to run with NIS, you must turn on the
230       allow_ypbind boolean. Disabled by default.
231
232       setsebool -P allow_ypbind 1
233
234
235
236       If you want to allow all domains to have the kernel load  modules,  you
237       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
238       default.
239
240       setsebool -P domain_kernel_load_modules 1
241
242
243
244       If you want to allow all domains to execute in fips_mode, you must turn
245       on the fips_mode boolean. Enabled by default.
246
247       setsebool -P fips_mode 1
248
249
250
251       If you want to enable reading of urandom for all domains, you must turn
252       on the global_ssp boolean. Disabled by default.
253
254       setsebool -P global_ssp 1
255
256
257
258       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
259       httpd_enable_cgi boolean. Enabled by default.
260
261       setsebool -P httpd_enable_cgi 1
262
263
264
265       If you want to unify HTTPD handling of all content files, you must turn
266       on the httpd_unified boolean. Disabled by default.
267
268       setsebool -P httpd_unified 1
269
270
271
272       If you want to allow confined applications to use nscd  shared  memory,
273       you must turn on the nscd_use_shm boolean. Enabled by default.
274
275       setsebool -P nscd_use_shm 1
276
277
278
279       If  you  want  to enabling secure mode disallows programs, such as new‐
280       role, from transitioning to administrative user domains, you must  turn
281       on the secure_mode boolean. Disabled by default.
282
283       setsebool -P secure_mode 1
284
285
286
287       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
288       the ssh_sysadm_login boolean. Disabled by default.
289
290       setsebool -P ssh_sysadm_login 1
291
292
293
294       If you want to support NFS home  directories,  you  must  turn  on  the
295       use_nfs_home_dirs boolean. Disabled by default.
296
297       setsebool -P use_nfs_home_dirs 1
298
299
300
301       If  you  want  to  support SAMBA home directories, you must turn on the
302       use_samba_home_dirs boolean. Disabled by default.
303
304       setsebool -P use_samba_home_dirs 1
305
306
307
308       If you want to allow regular users direct dri device access,  you  must
309       turn on the user_direct_dri boolean. Enabled by default.
310
311       setsebool -P user_direct_dri 1
312
313
314
315       If  you want to allow user to r/w files on filesystems that do not have
316       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
317       user_rw_noexattrfile boolean. Disabled by default.
318
319       setsebool -P user_rw_noexattrfile 1
320
321
322
323       If  you  want  to  allow  xdm  logins  as  sysadm, you must turn on the
324       xdm_sysadm_login boolean. Disabled by default.
325
326       setsebool -P xdm_sysadm_login 1
327
328
329
330       If you want to support X userspace object manager, you must turn on the
331       xserver_object_manager boolean. Disabled by default.
332
333       setsebool -P xserver_object_manager 1
334
335
336

HOME_EXEC

338       The SELinux user xguest_u is able execute home content files.
339
340

TRANSITIONS

342       Three things can happen when xguest_t attempts to execute a program.
343
344       1. SELinux Policy can deny xguest_t from executing the program.
345
346
347
348       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
349       rent user type.
350
351              Execute the following to see the types  that  the  SELinux  user
352              xguest_t can execute without transitioning:
353
354              sesearch -A -s xguest_t -c file -p execute_no_trans
355
356
357
358       3.  SELinux can allow xguest_t to execute the program and transition to
359       a new type.
360
361              Execute the following to see the types  that  the  SELinux  user
362              xguest_t can execute and transition:
363
364              $ sesearch -A -s xguest_t -c process -p transition
365
366
367

MANAGED FILES

369       The  SELinux  process  type  xguest_t can manage files labeled with the
370       following file types.  The paths listed are the default paths for these
371       file types.  Note the processes UID still need to have DAC permissions.
372
373       anon_inodefs_t
374
375
376       auth_cache_t
377
378            /var/cache/coolkey(/.*)?
379
380       chrome_sandbox_tmpfs_t
381
382
383       cifs_t
384
385
386       httpd_user_content_t
387
388            /home/[^/]*/((www)|(web)|(public_html))(/.+)?
389            /home/staff/((www)|(web)|(public_html))(/.+)?
390
391       httpd_user_htaccess_t
392
393
394       httpd_user_ra_content_t
395
396
397       httpd_user_rw_content_t
398
399
400       httpd_user_script_exec_t
401
402
403       initrc_tmp_t
404
405
406       mnt_t
407
408            /mnt(/[^/]*)
409            /mnt(/[^/]*)?
410            /rhev(/[^/]*)?
411            /media(/[^/]*)
412            /media(/[^/]*)?
413            /etc/rhgb(/.*)?
414            /media/.hal-.*
415            /net
416            /afs
417            /rhev
418            /misc
419
420       noxattrfs
421
422            all files on file systems which do not support extended attributes
423
424       tmp_t
425
426            /tmp
427            /usr/tmp
428            /var/tmp
429            /tmp-inst
430            /var/tmp-inst
431            /var/tmp/vi.recover
432
433       usbfs_t
434
435
436       user_fonts_cache_t
437
438            /home/[^/]*/.fonts/auto(/.*)?
439            /home/[^/]*/.fontconfig(/.*)?
440            /home/[^/]*/.fonts.cache-.*
441            /home/staff/.fonts/auto(/.*)?
442            /home/staff/.fontconfig(/.*)?
443            /home/staff/.fonts.cache-.*
444
445       user_home_type
446
447            all user home files
448
449       user_tmp_t
450
451            /tmp/gconfd-.*
452            /tmp/gconfd-staff
453
454       user_tmpfs_t
455
456            /dev/shm/mono.*
457            /dev/shm/pulse-shm.*
458
459       xdm_tmp_t
460
461            /tmp/.X11-unix(/.*)?
462            /tmp/.ICE-unix(/.*)?
463            /tmp/.X0-lock
464
465       xserver_tmpfs_t
466
467
468

COMMANDS

470       semanage  fcontext  can also be used to manipulate default file context
471       mappings.
472
473       semanage permissive can also be used to manipulate  whether  or  not  a
474       process type is permissive.
475
476       semanage  module can also be used to enable/disable/install/remove pol‐
477       icy modules.
478
479       semanage boolean can also be used to manipulate the booleans
480
481
482       system-config-selinux is a GUI tool available to customize SELinux pol‐
483       icy settings.
484
485

AUTHOR

487       This manual page was auto-generated using sepolicy manpage .
488
489