guest_selinux(8)

1guest_selinux(8)      guest SELinux Policy documentation      guest_selinux(8)
2
3
4

NAME

6       guest_u  -  Least  privileged  terminal  user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       guest_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  guest_r.   The  default role has a default type,
13       guest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       guest_u:guest_r:guest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the guest_u
37       user, you would execute:
38
39       semanage login -m -s guest_u __default__
40
41
42

USER DESCRIPTION

44       The SELinux user guest_u is defined in policy as a  unprivileged  user.
45       SELinux  prevents  unprivileged  users  from doing administration tasks
46       without transitioning to a different role.
47
48

SUDO

X WINDOWS LOGIN

51       The SELinux user guest_u is not able to X Windows login.
52
53

NETWORK

55       The SELinux user guest_u is able to listen on the following tcp ports.
56
57              32768-61000
58
59              all ports with out defined types
60
61
62       The SELinux user guest_u is able to connect to the following tcp ports.
63
64              53
65
66              8955
67
68              9080
69
70              32768-61000
71
72              all ports < 1024
73
74              389,636,3268,3269,7389
75
76              111
77
78              88,750,4444
79
80              all ports with out defined types
81
82
83       The SELinux user guest_u is able to listen on the following udp ports.
84
85              32768-61000
86
87              all ports with out defined types
88
89
90       The SELinux user guest_u is able to connect to the following tcp ports.
91
92              53
93
94              8955
95
96              9080
97
98              32768-61000
99
100              all ports < 1024
101
102              389,636,3268,3269,7389
103
104              111
105
106              88,750,4444
107
108              all ports with out defined types
109
110

BOOLEANS

112       SELinux policy is customizable based on least access  required.   guest
113       policy is extremely flexible and has several booleans that allow you to
114       manipulate the policy and run guest with the tightest access possible.
115
116
117
118       If you want to allow users to resolve user passwd entries directly from
119       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
120       gin_nsswitch_use_ldap boolean. Disabled by default.
121
122       setsebool -P authlogin_nsswitch_use_ldap 1
123
124
125
126       If you want to deny user domains applications to map a memory region as
127       both  executable  and  writable,  this  is dangerous and the executable
128       should be reported in bugzilla, you must turn on the deny_execmem bool‐
129       ean. Enabled by default.
130
131       setsebool -P deny_execmem 1
132
133
134
135       If  you  want  to deny any process from ptracing or debugging any other
136       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
137       default.
138
139       setsebool -P deny_ptrace 1
140
141
142
143       If  you  want  to  allow  any  process  to mmap any file on system with
144       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
145       ean. Enabled by default.
146
147       setsebool -P domain_can_mmap_files 1
148
149
150
151       If  you want to allow all domains write to kmsg_device, while kernel is
152       executed with systemd.log_target=kmsg parameter, you must turn  on  the
153       domain_can_write_kmsg boolean. Disabled by default.
154
155       setsebool -P domain_can_write_kmsg 1
156
157
158
159       If you want to allow all domains to use other domains file descriptors,
160       you must turn on the domain_fd_use boolean. Enabled by default.
161
162       setsebool -P domain_fd_use 1
163
164
165
166       If you want to allow all domains to have the kernel load  modules,  you
167       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
168       default.
169
170       setsebool -P domain_kernel_load_modules 1
171
172
173
174       If you want to allow all domains to execute in fips_mode, you must turn
175       on the fips_mode boolean. Enabled by default.
176
177       setsebool -P fips_mode 1
178
179
180
181       If you want to enable reading of urandom for all domains, you must turn
182       on the global_ssp boolean. Disabled by default.
183
184       setsebool -P global_ssp 1
185
186
187
188       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
189       httpd_enable_cgi boolean. Disabled by default.
190
191       setsebool -P httpd_enable_cgi 1
192
193
194
195       If you want to unify HTTPD handling of all content files, you must turn
196       on the httpd_unified boolean. Disabled by default.
197
198       setsebool -P httpd_unified 1
199
200
201
202       If you want to allow confined applications to run  with  kerberos,  you
203       must turn on the kerberos_enabled boolean. Enabled by default.
204
205       setsebool -P kerberos_enabled 1
206
207
208
209       If you want to allow logging in and using the system from /dev/console,
210       you must turn on the login_console_enabled boolean. Enabled by default.
211
212       setsebool -P login_console_enabled 1
213
214
215
216       If you want to allow system to run with  NIS,  you  must  turn  on  the
217       nis_enabled boolean. Disabled by default.
218
219       setsebool -P nis_enabled 1
220
221
222
223       If  you  want to allow confined applications to use nscd shared memory,
224       you must turn on the nscd_use_shm boolean. Disabled by default.
225
226       setsebool -P nscd_use_shm 1
227
228
229
230       If you want to disallow programs, such as newrole,  from  transitioning
231       to  administrative user domains, you must turn on the secure_mode bool‐
232       ean. Enabled by default.
233
234       setsebool -P secure_mode 1
235
236
237
238       If you want to allow unconfined executables to make  their  stack  exe‐
239       cutable.   This  should  never, ever be necessary. Probably indicates a
240       badly coded executable, but could indicate an attack.  This  executable
241       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
242       stack boolean. Enabled by default.
243
244       setsebool -P selinuxuser_execstack 1
245
246
247
248       If you want to allow user  to use ssh chroot environment, you must turn
249       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
250
251       setsebool -P selinuxuser_use_ssh_chroot 1
252
253
254
255       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
256       the ssh_sysadm_login boolean. Disabled by default.
257
258       setsebool -P ssh_sysadm_login 1
259
260
261
262       If you want to support NFS home  directories,  you  must  turn  on  the
263       use_nfs_home_dirs boolean. Disabled by default.
264
265       setsebool -P use_nfs_home_dirs 1
266
267
268
269       If  you  want  to  support SAMBA home directories, you must turn on the
270       use_samba_home_dirs boolean. Disabled by default.
271
272       setsebool -P use_samba_home_dirs 1
273
274
275
276       If you want to allow the graphical login program to login  directly  as
277       sysadm_r:sysadm_t,  you  must  turn  on  the  xdm_sysadm_login boolean.
278       Enabled by default.
279
280       setsebool -P xdm_sysadm_login 1
281
282
283

HOME_EXEC

285       The SELinux user guest_u is able execute home content files.
286
287

TRANSITIONS

289       Three things can happen when guest_t attempts to execute a program.
290
291       1. SELinux Policy can deny guest_t from executing the program.
292
293
294
295       2. SELinux Policy can allow guest_t to execute the program in the  cur‐
296       rent user type.
297
298              Execute  the  following  to  see the types that the SELinux user
299              guest_t can execute without transitioning:
300
301              sesearch -A -s guest_t -c file -p execute_no_trans
302
303
304
305       3. SELinux can allow guest_t to execute the program and transition to a
306       new type.
307
308              Execute  the  following  to  see the types that the SELinux user
309              guest_t can execute and transition:
310
311              $ sesearch -A -s guest_t -c process -p transition
312
313
314

MANAGED FILES

316       The SELinux process type guest_t can manage files labeled with the fol‐
317       lowing  file  types.   The paths listed are the default paths for these
318       file types.  Note the processes UID still need to have DAC permissions.
319
320       anon_inodefs_t
321
322
323       auth_cache_t
324
325            /var/cache/coolkey(/.*)?
326
327       cifs_t
328
329
330       httpd_user_content_t
331
332            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
333
334       httpd_user_htaccess_t
335
336            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
337
338       httpd_user_ra_content_t
339
340            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
341
342       httpd_user_rw_content_t
343
344
345       httpd_user_script_exec_t
346
347            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
348
349       nfs_t
350
351
352       user_home_type
353
354            all user home files
355
356       user_tmp_type
357
358            all user tmp files
359
360

COMMANDS

362       semanage fcontext can also be used to manipulate default  file  context
363       mappings.
364
365       semanage  permissive  can  also  be used to manipulate whether or not a
366       process type is permissive.
367
368       semanage module can also be used to enable/disable/install/remove  pol‐
369       icy modules.
370
371       semanage boolean can also be used to manipulate the booleans
372
373
374       system-config-selinux is a GUI tool available to customize SELinux pol‐
375       icy settings.
376
377

AUTHOR

379       This manual page was auto-generated using sepolicy manpage .
380
381