1guest_selinux(8) guest SELinux Policy documentation guest_selinux(8)
2
3
4
6 guest_u - Least privileged terminal user role. - Security Enhanced
7 Linux Policy
8
9
11 guest_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, guest_r. The default role has a default type,
13 guest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 guest_u:guest_r:guest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the guest_u
37 user, you would execute:
38
39 semanage login -m -s guest_u __default__
40
41
42
44 The SELinux user guest_u is defined in policy as a unprivileged user.
45 SELinux prevents unprivileged users from doing administration tasks
46 without transitioning to a different role.
47
48
51 The SELinux user guest_u is not able to X Windows login.
52
53
55 The SELinux user guest_u is able to listen on the following tcp ports.
56
57 32768-61000
58
59 all ports with out defined types
60
61
62 The SELinux user guest_u is able to connect to the following tcp ports.
63
64 53
65
66 8955
67
68 9080
69
70 32768-61000
71
72 all ports < 1024
73
74 389,636,3268,3269,7389
75
76 111
77
78 88,750,4444
79
80 all ports with out defined types
81
82
83 The SELinux user guest_u is able to listen on the following udp ports.
84
85 32768-61000
86
87 all ports with out defined types
88
89
90 The SELinux user guest_u is able to connect to the following tcp ports.
91
92 53
93
94 8955
95
96 9080
97
98 32768-61000
99
100 all ports < 1024
101
102 389,636,3268,3269,7389
103
104 111
105
106 88,750,4444
107
108 all ports with out defined types
109
110
112 SELinux policy is customizable based on least access required. guest
113 policy is extremely flexible and has several booleans that allow you to
114 manipulate the policy and run guest with the tightest access possible.
115
116
117
118 If you want to allow users to resolve user passwd entries directly from
119 ldap rather then using a sssd server, you must turn on the authlo‐
120 gin_nsswitch_use_ldap boolean. Disabled by default.
121
122 setsebool -P authlogin_nsswitch_use_ldap 1
123
124
125
126 If you want to deny user domains applications to map a memory region as
127 both executable and writable, this is dangerous and the executable
128 should be reported in bugzilla, you must turn on the deny_execmem bool‐
129 ean. Enabled by default.
130
131 setsebool -P deny_execmem 1
132
133
134
135 If you want to deny any process from ptracing or debugging any other
136 processes, you must turn on the deny_ptrace boolean. Enabled by
137 default.
138
139 setsebool -P deny_ptrace 1
140
141
142
143 If you want to allow any process to mmap any file on system with
144 attribute file_type, you must turn on the domain_can_mmap_files bool‐
145 ean. Enabled by default.
146
147 setsebool -P domain_can_mmap_files 1
148
149
150
151 If you want to allow all domains write to kmsg_device, while kernel is
152 executed with systemd.log_target=kmsg parameter, you must turn on the
153 domain_can_write_kmsg boolean. Disabled by default.
154
155 setsebool -P domain_can_write_kmsg 1
156
157
158
159 If you want to allow all domains to use other domains file descriptors,
160 you must turn on the domain_fd_use boolean. Enabled by default.
161
162 setsebool -P domain_fd_use 1
163
164
165
166 If you want to allow all domains to have the kernel load modules, you
167 must turn on the domain_kernel_load_modules boolean. Disabled by
168 default.
169
170 setsebool -P domain_kernel_load_modules 1
171
172
173
174 If you want to allow all domains to execute in fips_mode, you must turn
175 on the fips_mode boolean. Enabled by default.
176
177 setsebool -P fips_mode 1
178
179
180
181 If you want to enable reading of urandom for all domains, you must turn
182 on the global_ssp boolean. Disabled by default.
183
184 setsebool -P global_ssp 1
185
186
187
188 If you want to allow httpd cgi support, you must turn on the
189 httpd_enable_cgi boolean. Disabled by default.
190
191 setsebool -P httpd_enable_cgi 1
192
193
194
195 If you want to unify HTTPD handling of all content files, you must turn
196 on the httpd_unified boolean. Disabled by default.
197
198 setsebool -P httpd_unified 1
199
200
201
202 If you want to allow confined applications to run with kerberos, you
203 must turn on the kerberos_enabled boolean. Enabled by default.
204
205 setsebool -P kerberos_enabled 1
206
207
208
209 If you want to allow logging in and using the system from /dev/console,
210 you must turn on the login_console_enabled boolean. Enabled by default.
211
212 setsebool -P login_console_enabled 1
213
214
215
216 If you want to allow system to run with NIS, you must turn on the
217 nis_enabled boolean. Disabled by default.
218
219 setsebool -P nis_enabled 1
220
221
222
223 If you want to allow confined applications to use nscd shared memory,
224 you must turn on the nscd_use_shm boolean. Disabled by default.
225
226 setsebool -P nscd_use_shm 1
227
228
229
230 If you want to disallow programs, such as newrole, from transitioning
231 to administrative user domains, you must turn on the secure_mode bool‐
232 ean. Enabled by default.
233
234 setsebool -P secure_mode 1
235
236
237
238 If you want to allow unconfined executables to make their stack exe‐
239 cutable. This should never, ever be necessary. Probably indicates a
240 badly coded executable, but could indicate an attack. This executable
241 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
242 stack boolean. Enabled by default.
243
244 setsebool -P selinuxuser_execstack 1
245
246
247
248 If you want to allow user to use ssh chroot environment, you must turn
249 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
250
251 setsebool -P selinuxuser_use_ssh_chroot 1
252
253
254
255 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
256 the ssh_sysadm_login boolean. Disabled by default.
257
258 setsebool -P ssh_sysadm_login 1
259
260
261
262 If you want to support NFS home directories, you must turn on the
263 use_nfs_home_dirs boolean. Disabled by default.
264
265 setsebool -P use_nfs_home_dirs 1
266
267
268
269 If you want to support SAMBA home directories, you must turn on the
270 use_samba_home_dirs boolean. Disabled by default.
271
272 setsebool -P use_samba_home_dirs 1
273
274
275
276 If you want to allow the graphical login program to login directly as
277 sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
278 Enabled by default.
279
280 setsebool -P xdm_sysadm_login 1
281
282
283
285 The SELinux user guest_u is able execute home content files.
286
287
289 Three things can happen when guest_t attempts to execute a program.
290
291 1. SELinux Policy can deny guest_t from executing the program.
292
293
294
295 2. SELinux Policy can allow guest_t to execute the program in the cur‐
296 rent user type.
297
298 Execute the following to see the types that the SELinux user
299 guest_t can execute without transitioning:
300
301 sesearch -A -s guest_t -c file -p execute_no_trans
302
303
304
305 3. SELinux can allow guest_t to execute the program and transition to a
306 new type.
307
308 Execute the following to see the types that the SELinux user
309 guest_t can execute and transition:
310
311 $ sesearch -A -s guest_t -c process -p transition
312
313
314
316 The SELinux process type guest_t can manage files labeled with the fol‐
317 lowing file types. The paths listed are the default paths for these
318 file types. Note the processes UID still need to have DAC permissions.
319
320 anon_inodefs_t
321
322
323 auth_cache_t
324
325 /var/cache/coolkey(/.*)?
326
327 cifs_t
328
329
330 httpd_user_content_t
331
332 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
333
334 httpd_user_htaccess_t
335
336 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
337
338 httpd_user_ra_content_t
339
340 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
341
342 httpd_user_rw_content_t
343
344
345 httpd_user_script_exec_t
346
347 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
348
349 nfs_t
350
351
352 user_home_type
353
354 all user home files
355
356 user_tmp_type
357
358 all user tmp files
359
360
362 semanage fcontext can also be used to manipulate default file context
363 mappings.
364
365 semanage permissive can also be used to manipulate whether or not a
366 process type is permissive.
367
368 semanage module can also be used to enable/disable/install/remove pol‐
369 icy modules.
370
371 semanage boolean can also be used to manipulate the booleans
372
373
374 system-config-selinux is a GUI tool available to customize SELinux pol‐
375 icy settings.
376
377
379 This manual page was auto-generated using sepolicy manpage .
380
381
383 selinux(8), guest(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
384 , setsebool(8)
385
386
387
388mgrepl@redhat.com guest guest_selinux(8)