1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u  -  Least  privileged  xwindows user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       xguest_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  xguest_r.  The default role has a default
13       type, xguest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       xguest_u:xguest_r:xguest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the xguest_u
37       user, you would execute:
38
39       semanage login -m -s xguest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user xguest,
43       you would execute:
44
45       $ semanage login -a -s xguest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux user xguest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN

57       The SELinux user xguest_u is able to X Windows login.
58
59

NETWORK

61       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
62       ports.
63
64              53,853
65
66              8955
67
68              4713
69
70              4331,5001
71
72              80,81,443,488,8008,8009,8443,9000
73
74              8080,8118,8123,10001-10010
75
76              3128,3401,4827
77
78              843,1935
79
80              21,989,990
81
82              631,8610-8614
83
84              32768-60999
85
86              all ports without defined types
87
88              8000,9433,16001
89
90              8036
91
92              8081
93
94              9080
95
96              88,750,4444
97
98
99       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
100       ports.
101
102              53,853
103
104              8955
105
106              4713
107
108              4331,5001
109
110              80,81,443,488,8008,8009,8443,9000
111
112              8080,8118,8123,10001-10010
113
114              3128,3401,4827
115
116              843,1935
117
118              21,989,990
119
120              631,8610-8614
121
122              32768-60999
123
124              all ports without defined types
125
126              8000,9433,16001
127
128              8036
129
130              8081
131
132              9080
133
134              88,750,4444
135
136

BOOLEANS

138       SELinux  policy is customizable based on least access required.  xguest
139       policy is extremely flexible and has several booleans that allow you to
140       manipulate the policy and run xguest with the tightest access possible.
141
142
143
144       If you want to allow xguest users to configure Network Manager and con‐
145       nect to apache ports, you must turn on the xguest_connect_network bool‐
146       ean. Enabled by default.
147
148       setsebool -P xguest_connect_network 1
149
150
151
152       If  you  want  to allow xguest users to mount removable media, you must
153       turn on the xguest_mount_media boolean. Enabled by default.
154
155       setsebool -P xguest_mount_media 1
156
157
158
159       If you want to allow xguest to use blue tooth devices, you must turn on
160       the xguest_use_bluetooth boolean. Enabled by default.
161
162       setsebool -P xguest_use_bluetooth 1
163
164
165
166       If you want to deny user domains applications to map a memory region as
167       both executable and writable, this  is  dangerous  and  the  executable
168       should be reported in bugzilla, you must turn on the deny_execmem bool‐
169       ean. Enabled by default.
170
171       setsebool -P deny_execmem 1
172
173
174
175       If you want to deny any process from ptracing or  debugging  any  other
176       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
177       default.
178
179       setsebool -P deny_ptrace 1
180
181
182
183       If you want to allow all domains to execute in fips_mode, you must turn
184       on the fips_mode boolean. Enabled by default.
185
186       setsebool -P fips_mode 1
187
188
189
190       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
191       httpd_enable_cgi boolean. Enabled by default.
192
193       setsebool -P httpd_enable_cgi 1
194
195
196
197       If you want to allow confined applications to use nscd  shared  memory,
198       you must turn on the nscd_use_shm boolean. Disabled by default.
199
200       setsebool -P nscd_use_shm 1
201
202
203
204       If  you  want  to allow unconfined executables to make their stack exe‐
205       cutable.  This should never, ever be necessary.  Probably  indicates  a
206       badly  coded  executable, but could indicate an attack. This executable
207       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
208       stack boolean. Disabled by default.
209
210       setsebool -P selinuxuser_execstack 1
211
212
213
214       If  you want to allow user to r/w files on filesystems that do not have
215       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
216       uxuser_rw_noexattrfile boolean. Enabled by default.
217
218       setsebool -P selinuxuser_rw_noexattrfile 1
219
220
221
222       If you want to allow user  to use ssh chroot environment, you must turn
223       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
224
225       setsebool -P selinuxuser_use_ssh_chroot 1
226
227
228
229       If you want to support NFS home  directories,  you  must  turn  on  the
230       use_nfs_home_dirs boolean. Enabled by default.
231
232       setsebool -P use_nfs_home_dirs 1
233
234
235
236       If  you  want  to  support SAMBA home directories, you must turn on the
237       use_samba_home_dirs boolean. Disabled by default.
238
239       setsebool -P use_samba_home_dirs 1
240
241
242

HOME_EXEC

244       The SELinux user xguest_u is able execute home content files.
245
246

TRANSITIONS

248       Three things can happen when xguest_t attempts to execute a program.
249
250       1. SELinux Policy can deny xguest_t from executing the program.
251
252
253
254       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
255       rent user type.
256
257              Execute  the  following  to  see the types that the SELinux user
258              xguest_t can execute without transitioning:
259
260              sesearch -A -s xguest_t -c file -p execute_no_trans
261
262
263
264       3. SELinux can allow xguest_t to execute the program and transition  to
265       a new type.
266
267              Execute  the  following  to  see the types that the SELinux user
268              xguest_t can execute and transition:
269
270              $ sesearch -A -s xguest_t -c process -p transition
271
272
273

MANAGED FILES

275       The SELinux process type xguest_t can manage  files  labeled  with  the
276       following file types.  The paths listed are the default paths for these
277       file types.  Note the processes UID still need to have DAC permissions.
278
279       alsa_home_t
280
281            /home/[^/]+/.asoundrc
282
283       anon_inodefs_t
284
285
286       auth_cache_t
287
288            /var/cache/coolkey(/.*)?
289
290       chrome_sandbox_tmpfs_t
291
292
293       httpd_user_content_t
294
295            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
296
297       httpd_user_htaccess_t
298
299            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
300
301       httpd_user_ra_content_t
302
303            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
304
305       httpd_user_rw_content_t
306
307
308       httpd_user_script_exec_t
309
310            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
311
312       noxattrfs
313
314            all files on file systems which do not support extended attributes
315
316       pulseaudio_tmpfsfile
317
318
319       usbfs_t
320
321
322       user_fonts_cache_t
323
324            /root/.fontconfig(/.*)?
325            /root/.fonts/auto(/.*)?
326            /root/.fonts.cache-.*
327            /root/.cache/fontconfig(/.*)?
328            /home/[^/]+/.fontconfig(/.*)?
329            /home/[^/]+/.fonts/auto(/.*)?
330            /home/[^/]+/.fonts.cache-.*
331            /home/[^/]+/.cache/fontconfig(/.*)?
332
333       user_home_type
334
335            all user home files
336
337

COMMANDS

339       semanage fcontext can also be used to manipulate default  file  context
340       mappings.
341
342       semanage  permissive  can  also  be used to manipulate whether or not a
343       process type is permissive.
344
345       semanage module can also be used to enable/disable/install/remove  pol‐
346       icy modules.
347
348       semanage boolean can also be used to manipulate the booleans
349
350
351       system-config-selinux is a GUI tool available to customize SELinux pol‐
352       icy settings.
353
354

AUTHOR

356       This manual page was auto-generated using sepolicy manpage .
357
358

SEE ALSO

360       selinux(8), xguest(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
361       icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
362       xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
363
364
365
366mgrepl@redhat.com                   xguest                   xguest_selinux(8)
Impressum