1guest_selinux(8)      guest SELinux Policy documentation      guest_selinux(8)
2
3
4

NAME

6       guest_u  -  Least  privileged  terminal  user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       guest_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  guest_r.   The  default role has a default type,
13       guest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       guest_u:guest_r:guest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the guest_u
37       user, you would execute:
38
39       semanage login -m -s guest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  guest,
43       you would execute:
44
45       $ semanage login -a -s guest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user guest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN

57       The SELinux user guest_u is not able to X Windows login.
58
59

NETWORK

61       The SELinux user guest_u is able to connect to the following tcp ports.
62
63              88,750,4444
64
65              9080
66
67
68       The SELinux user guest_u is able to connect to the following tcp ports.
69
70              88,750,4444
71
72              9080
73
74

BOOLEANS

76       SELinux  policy  is customizable based on least access required.  guest
77       policy is extremely flexible and has several booleans that allow you to
78       manipulate the policy and run guest with the tightest access possible.
79
80
81
82       If you want to deny user domains applications to map a memory region as
83       both executable and writable, this  is  dangerous  and  the  executable
84       should be reported in bugzilla, you must turn on the deny_execmem bool‐
85       ean. Enabled by default.
86
87       setsebool -P deny_execmem 1
88
89
90
91       If you want to allow all domains to execute in fips_mode, you must turn
92       on the fips_mode boolean. Enabled by default.
93
94       setsebool -P fips_mode 1
95
96
97
98       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
99       httpd_enable_cgi boolean. Enabled by default.
100
101       setsebool -P httpd_enable_cgi 1
102
103
104
105       If you want to allow confined applications to run  with  kerberos,  you
106       must turn on the kerberos_enabled boolean. Disabled by default.
107
108       setsebool -P kerberos_enabled 1
109
110
111
112       If  you  want  to allow unconfined executables to make their stack exe‐
113       cutable.  This should never, ever be necessary.  Probably  indicates  a
114       badly  coded  executable, but could indicate an attack. This executable
115       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
116       stack boolean. Disabled by default.
117
118       setsebool -P selinuxuser_execstack 1
119
120
121
122       If you want to allow user  to use ssh chroot environment, you must turn
123       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
124
125       setsebool -P selinuxuser_use_ssh_chroot 1
126
127
128
129       If you want to support NFS home  directories,  you  must  turn  on  the
130       use_nfs_home_dirs boolean. Enabled by default.
131
132       setsebool -P use_nfs_home_dirs 1
133
134
135
136       If  you  want  to  support SAMBA home directories, you must turn on the
137       use_samba_home_dirs boolean. Disabled by default.
138
139       setsebool -P use_samba_home_dirs 1
140
141
142

HOME_EXEC

144       The SELinux user guest_u is able execute home content files.
145
146

TRANSITIONS

148       Three things can happen when guest_t attempts to execute a program.
149
150       1. SELinux Policy can deny guest_t from executing the program.
151
152
153
154       2. SELinux Policy can allow guest_t to execute the program in the  cur‐
155       rent user type.
156
157              Execute  the  following  to  see the types that the SELinux user
158              guest_t can execute without transitioning:
159
160              sesearch -A -s guest_t -c file -p execute_no_trans
161
162
163
164       3. SELinux can allow guest_t to execute the program and transition to a
165       new type.
166
167              Execute  the  following  to  see the types that the SELinux user
168              guest_t can execute and transition:
169
170              $ sesearch -A -s guest_t -c process -p transition
171
172
173

MANAGED FILES

175       The SELinux process type guest_t can manage files labeled with the fol‐
176       lowing  file  types.   The paths listed are the default paths for these
177       file types.  Note the processes UID still need to have DAC permissions.
178
179       alsa_home_t
180
181            /home/[^/]+/.asoundrc
182
183       anon_inodefs_t
184
185
186       auth_cache_t
187
188            /var/cache/coolkey(/.*)?
189
190       cifs_t
191
192
193       httpd_user_content_t
194
195            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
196
197       httpd_user_htaccess_t
198
199            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
200
201       httpd_user_ra_content_t
202
203            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
204
205       httpd_user_rw_content_t
206
207
208       httpd_user_script_exec_t
209
210            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
211
212       nfs_t
213
214
215       user_home_type
216
217            all user home files
218
219       user_tmp_type
220
221            all user tmp files
222
223

COMMANDS

225       semanage fcontext can also be used to manipulate default  file  context
226       mappings.
227
228       semanage  permissive  can  also  be used to manipulate whether or not a
229       process type is permissive.
230
231       semanage module can also be used to enable/disable/install/remove  pol‐
232       icy modules.
233
234       semanage boolean can also be used to manipulate the booleans
235
236
237       system-config-selinux is a GUI tool available to customize SELinux pol‐
238       icy settings.
239
240

AUTHOR

242       This manual page was auto-generated using sepolicy manpage .
243
244

SEE ALSO

246       selinux(8),  guest(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
247       icy(8), setsebool(8)
248
249
250
251mgrepl@redhat.com                    guest                    guest_selinux(8)
Impressum