xguest_selinux(8)

1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u  -  Least  privileged  xwindows user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       xguest_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  xguest_r.  The default role has a default
13       type, xguest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       xguest_u:xguest_r:xguest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the xguest_u
37       user, you would execute:
38
39       semanage login -m -s xguest_u __default__
40
41
42

USER DESCRIPTION

44       The SELinux user xguest_u is defined in policy as a unprivileged  user.
45       SELinux  prevents  unprivileged  users  from doing administration tasks
46       without transitioning to a different role.
47
48

SUDO

X WINDOWS LOGIN

51       The SELinux user xguest_u is able to X Windows login.
52
53

NETWORK

55       The SELinux user xguest_u is able to listen on the following tcp ports.
56
57              32768-61000
58
59              all ports with out defined types
60
61
62       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
63       ports.
64
65              53
66
67              8955
68
69              32768-61000
70
71              4331,5001
72
73              all ports < 1024
74
75              all ports with out defined types
76
77              8081
78
79              8080,8118,8123,10001-10010
80
81              8036
82
83              9080
84
85              389,636,3268,3269,7389
86
87              631,8610-8614
88
89              111
90
91              88,750,4444
92
93              4713
94
95              3128,3401,4827
96
97              21,989,990
98
99              843,1935
100
101              8000,9433,16001
102
103              80,81,443,488,8008,8009,8443,9000
104
105
106       The SELinux user xguest_u is able to listen on the following udp ports.
107
108              32768-61000
109
110              all ports with out defined types
111
112
113       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
114       ports.
115
116              53
117
118              8955
119
120              32768-61000
121
122              4331,5001
123
124              all ports < 1024
125
126              all ports with out defined types
127
128              8081
129
130              8080,8118,8123,10001-10010
131
132              8036
133
134              9080
135
136              389,636,3268,3269,7389
137
138              631,8610-8614
139
140              111
141
142              88,750,4444
143
144              4713
145
146              3128,3401,4827
147
148              21,989,990
149
150              843,1935
151
152              8000,9433,16001
153
154              80,81,443,488,8008,8009,8443,9000
155
156

BOOLEANS

158       SELinux policy is customizable based on least access required.   xguest
159       policy is extremely flexible and has several booleans that allow you to
160       manipulate the policy and run xguest with the tightest access possible.
161
162
163
164       If you want to allow xguest users to configure Network Manager and con‐
165       nect to apache ports, you must turn on the xguest_connect_network bool‐
166       ean. Enabled by default.
167
168       setsebool -P xguest_connect_network 1
169
170
171
172       If you want to allow xguest users to mount removable  media,  you  must
173       turn on the xguest_mount_media boolean. Enabled by default.
174
175       setsebool -P xguest_mount_media 1
176
177
178
179       If you want to allow xguest to use blue tooth devices, you must turn on
180       the xguest_use_bluetooth boolean. Enabled by default.
181
182       setsebool -P xguest_use_bluetooth 1
183
184
185
186       If you want to allow users to resolve user passwd entries directly from
187       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
188       gin_nsswitch_use_ldap boolean. Disabled by default.
189
190       setsebool -P authlogin_nsswitch_use_ldap 1
191
192
193
194       If you want to deny user domains applications to map a memory region as
195       both  executable  and  writable,  this  is dangerous and the executable
196       should be reported in bugzilla, you must turn on the deny_execmem bool‐
197       ean. Enabled by default.
198
199       setsebool -P deny_execmem 1
200
201
202
203       If  you  want  to deny any process from ptracing or debugging any other
204       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
205       default.
206
207       setsebool -P deny_ptrace 1
208
209
210
211       If  you  want  to  allow  any  process  to mmap any file on system with
212       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
213       ean. Enabled by default.
214
215       setsebool -P domain_can_mmap_files 1
216
217
218
219       If  you want to allow all domains write to kmsg_device, while kernel is
220       executed with systemd.log_target=kmsg parameter, you must turn  on  the
221       domain_can_write_kmsg boolean. Disabled by default.
222
223       setsebool -P domain_can_write_kmsg 1
224
225
226
227       If you want to allow all domains to use other domains file descriptors,
228       you must turn on the domain_fd_use boolean. Enabled by default.
229
230       setsebool -P domain_fd_use 1
231
232
233
234       If you want to allow all domains to have the kernel load  modules,  you
235       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
236       default.
237
238       setsebool -P domain_kernel_load_modules 1
239
240
241
242       If you want to allow all domains to execute in fips_mode, you must turn
243       on the fips_mode boolean. Enabled by default.
244
245       setsebool -P fips_mode 1
246
247
248
249       If you want to enable reading of urandom for all domains, you must turn
250       on the global_ssp boolean. Disabled by default.
251
252       setsebool -P global_ssp 1
253
254
255
256       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
257       httpd_enable_cgi boolean. Enabled by default.
258
259       setsebool -P httpd_enable_cgi 1
260
261
262
263       If you want to unify HTTPD handling of all content files, you must turn
264       on the httpd_unified boolean. Disabled by default.
265
266       setsebool -P httpd_unified 1
267
268
269
270       If you want to allow confined applications to run  with  kerberos,  you
271       must turn on the kerberos_enabled boolean. Enabled by default.
272
273       setsebool -P kerberos_enabled 1
274
275
276
277       If you want to allow logging in and using the system from /dev/console,
278       you must turn on the login_console_enabled boolean. Enabled by default.
279
280       setsebool -P login_console_enabled 1
281
282
283
284       If you want to allow system to run with  NIS,  you  must  turn  on  the
285       nis_enabled boolean. Disabled by default.
286
287       setsebool -P nis_enabled 1
288
289
290
291       If  you  want to allow confined applications to use nscd shared memory,
292       you must turn on the nscd_use_shm boolean. Enabled by default.
293
294       setsebool -P nscd_use_shm 1
295
296
297
298       If you want to disallow programs, such as newrole,  from  transitioning
299       to  administrative user domains, you must turn on the secure_mode bool‐
300       ean. Enabled by default.
301
302       setsebool -P secure_mode 1
303
304
305
306       If you want to allow regular users direct dri device access,  you  must
307       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
308
309       setsebool -P selinuxuser_direct_dri_enabled 1
310
311
312
313       If  you  want  to allow unconfined executables to make their stack exe‐
314       cutable.  This should never, ever be necessary.  Probably  indicates  a
315       badly  coded  executable, but could indicate an attack. This executable
316       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
317       stack boolean. Enabled by default.
318
319       setsebool -P selinuxuser_execstack 1
320
321
322
323       If  you want to allow user to r/w files on filesystems that do not have
324       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
325       uxuser_rw_noexattrfile boolean. Enabled by default.
326
327       setsebool -P selinuxuser_rw_noexattrfile 1
328
329
330
331       If you want to allow user  to use ssh chroot environment, you must turn
332       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
333
334       setsebool -P selinuxuser_use_ssh_chroot 1
335
336
337
338       If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn  on
339       the ssh_sysadm_login boolean. Disabled by default.
340
341       setsebool -P ssh_sysadm_login 1
342
343
344
345       If  you  want  to  support  NFS  home directories, you must turn on the
346       use_nfs_home_dirs boolean. Disabled by default.
347
348       setsebool -P use_nfs_home_dirs 1
349
350
351
352       If you want to support SAMBA home directories, you  must  turn  on  the
353       use_samba_home_dirs boolean. Disabled by default.
354
355       setsebool -P use_samba_home_dirs 1
356
357
358
359       If  you  want to allow the graphical login program to login directly as
360       sysadm_r:sysadm_t, you  must  turn  on  the  xdm_sysadm_login  boolean.
361       Enabled by default.
362
363       setsebool -P xdm_sysadm_login 1
364
365
366
367       If  you  want  to allows clients to write to the X server shared memory
368       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
369       abled by default.
370
371       setsebool -P xserver_clients_write_xshm 1
372
373
374
375       If you want to support X userspace object manager, you must turn on the
376       xserver_object_manager boolean. Enabled by default.
377
378       setsebool -P xserver_object_manager 1
379
380
381

HOME_EXEC

383       The SELinux user xguest_u is able execute home content files.
384
385

TRANSITIONS

387       Three things can happen when xguest_t attempts to execute a program.
388
389       1. SELinux Policy can deny xguest_t from executing the program.
390
391
392
393       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
394       rent user type.
395
396              Execute  the  following  to  see the types that the SELinux user
397              xguest_t can execute without transitioning:
398
399              sesearch -A -s xguest_t -c file -p execute_no_trans
400
401
402
403       3. SELinux can allow xguest_t to execute the program and transition  to
404       a new type.
405
406              Execute  the  following  to  see the types that the SELinux user
407              xguest_t can execute and transition:
408
409              $ sesearch -A -s xguest_t -c process -p transition
410
411
412

MANAGED FILES

414       The SELinux process type xguest_t can manage  files  labeled  with  the
415       following file types.  The paths listed are the default paths for these
416       file types.  Note the processes UID still need to have DAC permissions.
417
418       anon_inodefs_t
419
420
421       auth_cache_t
422
423            /var/cache/coolkey(/.*)?
424
425       chrome_sandbox_tmpfs_t
426
427
428       cifs_t
429
430
431       gconf_tmp_t
432
433            /tmp/gconfd-[^/]+/.*
434
435       gnome_home_type
436
437
438       httpd_user_content_t
439
440            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
441
442       httpd_user_htaccess_t
443
444            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
445
446       httpd_user_ra_content_t
447
448            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
449
450       httpd_user_rw_content_t
451
452
453       httpd_user_script_exec_t
454
455            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
456
457       noxattrfs
458
459            all files on file systems which do not support extended attributes
460
461       pulseaudio_tmpfs_t
462
463
464       pulseaudio_tmpfsfile
465
466
467       usbfs_t
468
469
470       user_fonts_cache_t
471
472            /root/.fontconfig(/.*)?
473            /root/.fonts/auto(/.*)?
474            /root/.fonts.cache-.*
475            /home/[^/]+/.fontconfig(/.*)?
476            /home/[^/]+/.fonts/auto(/.*)?
477            /home/[^/]+/.fonts.cache-.*
478
479       user_home_type
480
481            all user home files
482
483       user_tmp_t
484
485            /dev/shm/mono.*
486            /var/run/user(/.*)?
487            /tmp/.X11-unix(/.*)?
488            /tmp/.ICE-unix(/.*)?
489            /dev/shm/pulse-shm.*
490            /tmp/.X0-lock
491            /tmp/hsperfdata_root
492            /var/tmp/hsperfdata_root
493            /home/[^/]+/tmp
494            /home/[^/]+/.tmp
495            /tmp/gconfd-[^/]+
496
497       user_tmp_type
498
499            all user tmp files
500
501       xserver_tmpfs_t
502
503
504

COMMANDS

506       semanage fcontext can also be used to manipulate default  file  context
507       mappings.
508
509       semanage  permissive  can  also  be used to manipulate whether or not a
510       process type is permissive.
511
512       semanage module can also be used to enable/disable/install/remove  pol‐
513       icy modules.
514
515       semanage boolean can also be used to manipulate the booleans
516
517
518       system-config-selinux is a GUI tool available to customize SELinux pol‐
519       icy settings.
520
521

AUTHOR

523       This manual page was auto-generated using sepolicy manpage .
524
525