1xguest_selinux(8) xguest SELinux Policy documentation xguest_selinux(8)
2
3
4
6 xguest_u - Least privileged xwindows user role. - Security Enhanced
7 Linux Policy
8
9
11 xguest_u is an SELinux User defined in the SELinux policy. SELinux
12 users have default roles, xguest_r. The default role has a default
13 type, xguest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 xguest_u:xguest_r:xguest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the xguest_u
37 user, you would execute:
38
39 semanage login -m -s xguest_u __default__
40
41
42
44 The SELinux user xguest_u is defined in policy as a unprivileged user.
45 SELinux prevents unprivileged users from doing administration tasks
46 without transitioning to a different role.
47
48
51 The SELinux user xguest_u is able to X Windows login.
52
53
55 The SELinux user xguest_u is able to listen on the following tcp ports.
56
57 32768-61000
58
59 all ports with out defined types
60
61
62 The SELinux user xguest_u is able to connect to the following tcp
63 ports.
64
65 53
66
67 8955
68
69 32768-61000
70
71 4331,5001
72
73 all ports < 1024
74
75 all ports with out defined types
76
77 8081
78
79 8080,8118,8123,10001-10010
80
81 8036
82
83 9080
84
85 389,636,3268,3269,7389
86
87 631,8610-8614
88
89 111
90
91 88,750,4444
92
93 4713
94
95 3128,3401,4827
96
97 21,989,990
98
99 843,1935
100
101 8000,9433,16001
102
103 80,81,443,488,8008,8009,8443,9000
104
105
106 The SELinux user xguest_u is able to listen on the following udp ports.
107
108 32768-61000
109
110 all ports with out defined types
111
112
113 The SELinux user xguest_u is able to connect to the following tcp
114 ports.
115
116 53
117
118 8955
119
120 32768-61000
121
122 4331,5001
123
124 all ports < 1024
125
126 all ports with out defined types
127
128 8081
129
130 8080,8118,8123,10001-10010
131
132 8036
133
134 9080
135
136 389,636,3268,3269,7389
137
138 631,8610-8614
139
140 111
141
142 88,750,4444
143
144 4713
145
146 3128,3401,4827
147
148 21,989,990
149
150 843,1935
151
152 8000,9433,16001
153
154 80,81,443,488,8008,8009,8443,9000
155
156
158 SELinux policy is customizable based on least access required. xguest
159 policy is extremely flexible and has several booleans that allow you to
160 manipulate the policy and run xguest with the tightest access possible.
161
162
163
164 If you want to allow xguest users to configure Network Manager and con‐
165 nect to apache ports, you must turn on the xguest_connect_network bool‐
166 ean. Enabled by default.
167
168 setsebool -P xguest_connect_network 1
169
170
171
172 If you want to allow xguest users to mount removable media, you must
173 turn on the xguest_mount_media boolean. Enabled by default.
174
175 setsebool -P xguest_mount_media 1
176
177
178
179 If you want to allow xguest to use blue tooth devices, you must turn on
180 the xguest_use_bluetooth boolean. Enabled by default.
181
182 setsebool -P xguest_use_bluetooth 1
183
184
185
186 If you want to allow users to resolve user passwd entries directly from
187 ldap rather then using a sssd server, you must turn on the authlo‐
188 gin_nsswitch_use_ldap boolean. Disabled by default.
189
190 setsebool -P authlogin_nsswitch_use_ldap 1
191
192
193
194 If you want to deny user domains applications to map a memory region as
195 both executable and writable, this is dangerous and the executable
196 should be reported in bugzilla, you must turn on the deny_execmem bool‐
197 ean. Enabled by default.
198
199 setsebool -P deny_execmem 1
200
201
202
203 If you want to deny any process from ptracing or debugging any other
204 processes, you must turn on the deny_ptrace boolean. Enabled by
205 default.
206
207 setsebool -P deny_ptrace 1
208
209
210
211 If you want to allow any process to mmap any file on system with
212 attribute file_type, you must turn on the domain_can_mmap_files bool‐
213 ean. Enabled by default.
214
215 setsebool -P domain_can_mmap_files 1
216
217
218
219 If you want to allow all domains write to kmsg_device, while kernel is
220 executed with systemd.log_target=kmsg parameter, you must turn on the
221 domain_can_write_kmsg boolean. Disabled by default.
222
223 setsebool -P domain_can_write_kmsg 1
224
225
226
227 If you want to allow all domains to use other domains file descriptors,
228 you must turn on the domain_fd_use boolean. Enabled by default.
229
230 setsebool -P domain_fd_use 1
231
232
233
234 If you want to allow all domains to have the kernel load modules, you
235 must turn on the domain_kernel_load_modules boolean. Disabled by
236 default.
237
238 setsebool -P domain_kernel_load_modules 1
239
240
241
242 If you want to allow all domains to execute in fips_mode, you must turn
243 on the fips_mode boolean. Enabled by default.
244
245 setsebool -P fips_mode 1
246
247
248
249 If you want to enable reading of urandom for all domains, you must turn
250 on the global_ssp boolean. Disabled by default.
251
252 setsebool -P global_ssp 1
253
254
255
256 If you want to allow httpd cgi support, you must turn on the
257 httpd_enable_cgi boolean. Enabled by default.
258
259 setsebool -P httpd_enable_cgi 1
260
261
262
263 If you want to unify HTTPD handling of all content files, you must turn
264 on the httpd_unified boolean. Disabled by default.
265
266 setsebool -P httpd_unified 1
267
268
269
270 If you want to allow confined applications to run with kerberos, you
271 must turn on the kerberos_enabled boolean. Enabled by default.
272
273 setsebool -P kerberos_enabled 1
274
275
276
277 If you want to allow logging in and using the system from /dev/console,
278 you must turn on the login_console_enabled boolean. Enabled by default.
279
280 setsebool -P login_console_enabled 1
281
282
283
284 If you want to allow system to run with NIS, you must turn on the
285 nis_enabled boolean. Disabled by default.
286
287 setsebool -P nis_enabled 1
288
289
290
291 If you want to allow confined applications to use nscd shared memory,
292 you must turn on the nscd_use_shm boolean. Enabled by default.
293
294 setsebool -P nscd_use_shm 1
295
296
297
298 If you want to disallow programs, such as newrole, from transitioning
299 to administrative user domains, you must turn on the secure_mode bool‐
300 ean. Enabled by default.
301
302 setsebool -P secure_mode 1
303
304
305
306 If you want to allow regular users direct dri device access, you must
307 turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
308
309 setsebool -P selinuxuser_direct_dri_enabled 1
310
311
312
313 If you want to allow unconfined executables to make their stack exe‐
314 cutable. This should never, ever be necessary. Probably indicates a
315 badly coded executable, but could indicate an attack. This executable
316 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
317 stack boolean. Enabled by default.
318
319 setsebool -P selinuxuser_execstack 1
320
321
322
323 If you want to allow user to r/w files on filesystems that do not have
324 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
325 uxuser_rw_noexattrfile boolean. Enabled by default.
326
327 setsebool -P selinuxuser_rw_noexattrfile 1
328
329
330
331 If you want to allow user to use ssh chroot environment, you must turn
332 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
333
334 setsebool -P selinuxuser_use_ssh_chroot 1
335
336
337
338 If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
339 the ssh_sysadm_login boolean. Disabled by default.
340
341 setsebool -P ssh_sysadm_login 1
342
343
344
345 If you want to support NFS home directories, you must turn on the
346 use_nfs_home_dirs boolean. Disabled by default.
347
348 setsebool -P use_nfs_home_dirs 1
349
350
351
352 If you want to support SAMBA home directories, you must turn on the
353 use_samba_home_dirs boolean. Disabled by default.
354
355 setsebool -P use_samba_home_dirs 1
356
357
358
359 If you want to allow the graphical login program to login directly as
360 sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
361 Enabled by default.
362
363 setsebool -P xdm_sysadm_login 1
364
365
366
367 If you want to allows clients to write to the X server shared memory
368 segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
369 abled by default.
370
371 setsebool -P xserver_clients_write_xshm 1
372
373
374
375 If you want to support X userspace object manager, you must turn on the
376 xserver_object_manager boolean. Enabled by default.
377
378 setsebool -P xserver_object_manager 1
379
380
381
383 The SELinux user xguest_u is able execute home content files.
384
385
387 Three things can happen when xguest_t attempts to execute a program.
388
389 1. SELinux Policy can deny xguest_t from executing the program.
390
391
392
393 2. SELinux Policy can allow xguest_t to execute the program in the cur‐
394 rent user type.
395
396 Execute the following to see the types that the SELinux user
397 xguest_t can execute without transitioning:
398
399 sesearch -A -s xguest_t -c file -p execute_no_trans
400
401
402
403 3. SELinux can allow xguest_t to execute the program and transition to
404 a new type.
405
406 Execute the following to see the types that the SELinux user
407 xguest_t can execute and transition:
408
409 $ sesearch -A -s xguest_t -c process -p transition
410
411
412
414 The SELinux process type xguest_t can manage files labeled with the
415 following file types. The paths listed are the default paths for these
416 file types. Note the processes UID still need to have DAC permissions.
417
418 anon_inodefs_t
419
420
421 auth_cache_t
422
423 /var/cache/coolkey(/.*)?
424
425 chrome_sandbox_tmpfs_t
426
427
428 cifs_t
429
430
431 gconf_tmp_t
432
433 /tmp/gconfd-[^/]+/.*
434
435 gnome_home_type
436
437
438 httpd_user_content_t
439
440 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
441
442 httpd_user_htaccess_t
443
444 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
445
446 httpd_user_ra_content_t
447
448 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
449
450 httpd_user_rw_content_t
451
452
453 httpd_user_script_exec_t
454
455 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
456
457 noxattrfs
458
459 all files on file systems which do not support extended attributes
460
461 pulseaudio_tmpfs_t
462
463
464 pulseaudio_tmpfsfile
465
466
467 usbfs_t
468
469
470 user_fonts_cache_t
471
472 /root/.fontconfig(/.*)?
473 /root/.fonts/auto(/.*)?
474 /root/.fonts.cache-.*
475 /home/[^/]+/.fontconfig(/.*)?
476 /home/[^/]+/.fonts/auto(/.*)?
477 /home/[^/]+/.fonts.cache-.*
478
479 user_home_type
480
481 all user home files
482
483 user_tmp_t
484
485 /dev/shm/mono.*
486 /var/run/user(/.*)?
487 /tmp/.X11-unix(/.*)?
488 /tmp/.ICE-unix(/.*)?
489 /dev/shm/pulse-shm.*
490 /tmp/.X0-lock
491 /tmp/hsperfdata_root
492 /var/tmp/hsperfdata_root
493 /home/[^/]+/tmp
494 /home/[^/]+/.tmp
495 /tmp/gconfd-[^/]+
496
497 user_tmp_type
498
499 all user tmp files
500
501 xserver_tmpfs_t
502
503
504
506 semanage fcontext can also be used to manipulate default file context
507 mappings.
508
509 semanage permissive can also be used to manipulate whether or not a
510 process type is permissive.
511
512 semanage module can also be used to enable/disable/install/remove pol‐
513 icy modules.
514
515 semanage boolean can also be used to manipulate the booleans
516
517
518 system-config-selinux is a GUI tool available to customize SELinux pol‐
519 icy settings.
520
521
523 This manual page was auto-generated using sepolicy manpage .
524
525
527 selinux(8), xguest(8), semanage(8), restorecon(8), chcon(1), sepol‐
528 icy(8) , setsebool(8), xguest_dbusd_selinux(8),
529 xguest_dbusd_selinux(8), xguest_gkeyringd_selinux(8),
530 xguest_gkeyringd_selinux(8)
531
532
533
534mgrepl@redhat.com xguest xguest_selinux(8)