1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u  -  Least  privileged  xwindows user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       xguest_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  xguest_r.  The default role has a default
13       type, xguest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       xguest_u:xguest_r:xguest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the xguest_u
37       user, you would execute:
38
39       semanage login -m -s xguest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user xguest,
43       you would execute:
44
45       $ semanage login -a -s xguest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux user xguest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN
57       The SELinux user xguest_u is able to X Windows login.
58
59

NETWORK
61       The SELinux user xguest_u is able to listen on the following tcp ports.
62
63              32768-61000
64
65              all ports with out defined types
66
67
68       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
69       ports.
70
71              8955
72
73              53,853
74
75              4713
76
77              4331,5001
78
79              80,81,443,488,8008,8009,8443,9000
80
81              8080,8118,8123,10001-10010
82
83              3128,3401,4827
84
85              843,1935
86
87              21,989,990
88
89              631,8610-8614
90
91              32768-61000
92
93              all ports with out defined types
94
95              8000,9433,16001
96
97              8036
98
99              8081
100
101              389,636,3268,3269,7389
102
103              111
104
105              all ports < 1024
106
107              88,750,4444
108
109              9080
110
111
112       The SELinux user xguest_u is able to listen on the following udp ports.
113
114              32768-61000
115
116              all ports with out defined types
117
118
119       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
120       ports.
121
122              8955
123
124              53,853
125
126              4713
127
128              4331,5001
129
130              80,81,443,488,8008,8009,8443,9000
131
132              8080,8118,8123,10001-10010
133
134              3128,3401,4827
135
136              843,1935
137
138              21,989,990
139
140              631,8610-8614
141
142              32768-61000
143
144              all ports with out defined types
145
146              8000,9433,16001
147
148              8036
149
150              8081
151
152              389,636,3268,3269,7389
153
154              111
155
156              all ports < 1024
157
158              88,750,4444
159
160              9080
161
162

BOOLEANS
164       SELinux  policy is customizable based on least access required.  xguest
165       policy is extremely flexible and has several booleans that allow you to
166       manipulate the policy and run xguest with the tightest access possible.
167
168
169
170       If you want to allow xguest users to configure Network Manager and con‐
171       nect to apache ports, you must turn on the xguest_connect_network bool‐
172       ean. Enabled by default.
173
174       setsebool -P xguest_connect_network 1
175
176
177
178       If  you  want  to allow xguest users to mount removable media, you must
179       turn on the xguest_mount_media boolean. Enabled by default.
180
181       setsebool -P xguest_mount_media 1
182
183
184
185       If you want to allow xguest to use blue tooth devices, you must turn on
186       the xguest_use_bluetooth boolean. Enabled by default.
187
188       setsebool -P xguest_use_bluetooth 1
189
190
191
192       If you want to allow users to resolve user passwd entries directly from
193       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
194       gin_nsswitch_use_ldap boolean. Disabled by default.
195
196       setsebool -P authlogin_nsswitch_use_ldap 1
197
198
199
200       If you want to deny user domains applications to map a memory region as
201       both executable and writable, this  is  dangerous  and  the  executable
202       should be reported in bugzilla, you must turn on the deny_execmem bool‐
203       ean. Enabled by default.
204
205       setsebool -P deny_execmem 1
206
207
208
209       If you want to deny any process from ptracing or  debugging  any  other
210       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
211       default.
212
213       setsebool -P deny_ptrace 1
214
215
216
217       If you want to allow all domains to execute in fips_mode, you must turn
218       on the fips_mode boolean. Enabled by default.
219
220       setsebool -P fips_mode 1
221
222
223
224       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
225       httpd_enable_cgi boolean. Enabled by default.
226
227       setsebool -P httpd_enable_cgi 1
228
229
230
231       If you want to allow confined applications to run  with  kerberos,  you
232       must turn on the kerberos_enabled boolean. Enabled by default.
233
234       setsebool -P kerberos_enabled 1
235
236
237
238       If  you  want  to  allow  system  to run with NIS, you must turn on the
239       nis_enabled boolean. Disabled by default.
240
241       setsebool -P nis_enabled 1
242
243
244
245       If you want to allow confined applications to use nscd  shared  memory,
246       you must turn on the nscd_use_shm boolean. Enabled by default.
247
248       setsebool -P nscd_use_shm 1
249
250
251
252       If  you  want  to allow unconfined executables to make their stack exe‐
253       cutable.  This should never, ever be necessary.  Probably  indicates  a
254       badly  coded  executable, but could indicate an attack. This executable
255       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
256       stack boolean. Enabled by default.
257
258       setsebool -P selinuxuser_execstack 1
259
260
261
262       If  you want to allow user to r/w files on filesystems that do not have
263       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
264       uxuser_rw_noexattrfile boolean. Enabled by default.
265
266       setsebool -P selinuxuser_rw_noexattrfile 1
267
268
269
270       If you want to allow user  to use ssh chroot environment, you must turn
271       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
272
273       setsebool -P selinuxuser_use_ssh_chroot 1
274
275
276
277       If you want to support NFS home  directories,  you  must  turn  on  the
278       use_nfs_home_dirs boolean. Disabled by default.
279
280       setsebool -P use_nfs_home_dirs 1
281
282
283
284       If  you  want  to  support SAMBA home directories, you must turn on the
285       use_samba_home_dirs boolean. Disabled by default.
286
287       setsebool -P use_samba_home_dirs 1
288
289
290

HOME_EXEC
292       The SELinux user xguest_u is able execute home content files.
293
294

TRANSITIONS
296       Three things can happen when xguest_t attempts to execute a program.
297
298       1. SELinux Policy can deny xguest_t from executing the program.
299
300
301
302       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
303       rent user type.
304
305              Execute  the  following  to  see the types that the SELinux user
306              xguest_t can execute without transitioning:
307
308              sesearch -A -s xguest_t -c file -p execute_no_trans
309
310
311
312       3. SELinux can allow xguest_t to execute the program and transition  to
313       a new type.
314
315              Execute  the  following  to  see the types that the SELinux user
316              xguest_t can execute and transition:
317
318              $ sesearch -A -s xguest_t -c process -p transition
319
320
321

MANAGED FILES
323       The SELinux process type xguest_t can manage  files  labeled  with  the
324       following file types.  The paths listed are the default paths for these
325       file types.  Note the processes UID still need to have DAC permissions.
326
327       alsa_home_t
328
329            /home/[^/]+/.asoundrc
330
331       anon_inodefs_t
332
333
334       auth_cache_t
335
336            /var/cache/coolkey(/.*)?
337
338       chrome_sandbox_tmpfs_t
339
340
341       cifs_t
342
343
344       dosfs_t
345
346
347       gconf_tmp_t
348
349            /tmp/gconfd-[^/]+/.*
350
351       gkeyringd_tmp_t
352
353            /var/run/user/[^/]*/keyring.*
354
355       gnome_home_type
356
357
358       httpd_user_content_t
359
360            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
361
362       httpd_user_htaccess_t
363
364            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
365
366       httpd_user_ra_content_t
367
368            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
369
370       httpd_user_rw_content_t
371
372
373       httpd_user_script_exec_t
374
375            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
376
377       nfs_t
378
379
380       noxattrfs
381
382            all files on file systems which do not support extended attributes
383
384       pulseaudio_tmpfs_t
385
386
387       pulseaudio_tmpfsfile
388
389
390       usbfs_t
391
392
393       user_fonts_cache_t
394
395            /root/.fontconfig(/.*)?
396            /root/.fonts/auto(/.*)?
397            /root/.fonts.cache-.*
398            /home/[^/]+/.fontconfig(/.*)?
399            /home/[^/]+/.fonts/auto(/.*)?
400            /home/[^/]+/.fonts.cache-.*
401
402       user_home_type
403
404            all user home files
405
406       user_tmp_t
407
408            /dev/shm/mono.*
409            /var/run/user(/.*)?
410            /tmp/.ICE-unix(/.*)?
411            /tmp/.X11-unix(/.*)?
412            /dev/shm/pulse-shm.*
413            /tmp/.X0-lock
414            /tmp/hsperfdata_root
415            /var/tmp/hsperfdata_root
416            /home/[^/]+/tmp
417            /home/[^/]+/.tmp
418            /tmp/gconfd-[^/]+
419
420       user_tmp_type
421
422            all user tmp files
423
424       xserver_tmpfs_t
425
426
427

COMMANDS
429       semanage fcontext can also be used to manipulate default  file  context
430       mappings.
431
432       semanage  permissive  can  also  be used to manipulate whether or not a
433       process type is permissive.
434
435       semanage module can also be used to enable/disable/install/remove  pol‐
436       icy modules.
437
438       semanage boolean can also be used to manipulate the booleans
439
440
441       system-config-selinux is a GUI tool available to customize SELinux pol‐
442       icy settings.
443
444

AUTHOR
446       This manual page was auto-generated using sepolicy manpage .
447
448

SEE ALSO
450       selinux(8), xguest(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
451       icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
452       xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
453
454
455
456mgrepl@redhat.com                   xguest                   xguest_selinux(8)



        

    


            
        

        

            Impressum