1xguest_selinux(8) xguest SELinux Policy documentation xguest_selinux(8)
2
3
4
6 xguest_u - Least privileged xwindows user role. - Security Enhanced
7 Linux Policy
8
9
11 xguest_u is an SELinux User defined in the SELinux policy. SELinux
12 users have default roles, xguest_r. The default role has a default
13 type, xguest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 xguest_u:xguest_r:xguest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the xguest_u
37 user, you would execute:
38
39 semanage login -m -s xguest_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user xguest,
43 you would execute:
44
45 $ semanage login -a -s xguest_u joe
46
47
48
50 The SELinux user xguest_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
57 The SELinux user xguest_u is able to X Windows login.
58
59
61 The SELinux user xguest_u is able to listen on the following tcp ports.
62
63 32768-61000
64
65 all ports with out defined types
66
67
68 The SELinux user xguest_u is able to connect to the following tcp
69 ports.
70
71 8955
72
73 53,853
74
75 4713
76
77 4331,5001
78
79 80,81,443,488,8008,8009,8443,9000
80
81 8080,8118,8123,10001-10010
82
83 3128,3401,4827
84
85 843,1935
86
87 21,989,990
88
89 631,8610-8614
90
91 32768-61000
92
93 all ports with out defined types
94
95 8000,9433,16001
96
97 8036
98
99 8081
100
101 389,636,3268,3269,7389
102
103 111
104
105 all ports < 1024
106
107 88,750,4444
108
109 9080
110
111
112 The SELinux user xguest_u is able to listen on the following udp ports.
113
114 32768-61000
115
116 all ports with out defined types
117
118
119 The SELinux user xguest_u is able to connect to the following tcp
120 ports.
121
122 8955
123
124 53,853
125
126 4713
127
128 4331,5001
129
130 80,81,443,488,8008,8009,8443,9000
131
132 8080,8118,8123,10001-10010
133
134 3128,3401,4827
135
136 843,1935
137
138 21,989,990
139
140 631,8610-8614
141
142 32768-61000
143
144 all ports with out defined types
145
146 8000,9433,16001
147
148 8036
149
150 8081
151
152 389,636,3268,3269,7389
153
154 111
155
156 all ports < 1024
157
158 88,750,4444
159
160 9080
161
162
164 SELinux policy is customizable based on least access required. xguest
165 policy is extremely flexible and has several booleans that allow you to
166 manipulate the policy and run xguest with the tightest access possible.
167
168
169
170 If you want to allow xguest users to configure Network Manager and con‐
171 nect to apache ports, you must turn on the xguest_connect_network bool‐
172 ean. Enabled by default.
173
174 setsebool -P xguest_connect_network 1
175
176
177
178 If you want to allow xguest users to mount removable media, you must
179 turn on the xguest_mount_media boolean. Enabled by default.
180
181 setsebool -P xguest_mount_media 1
182
183
184
185 If you want to allow xguest to use blue tooth devices, you must turn on
186 the xguest_use_bluetooth boolean. Enabled by default.
187
188 setsebool -P xguest_use_bluetooth 1
189
190
191
192 If you want to allow users to resolve user passwd entries directly from
193 ldap rather then using a sssd server, you must turn on the authlo‐
194 gin_nsswitch_use_ldap boolean. Disabled by default.
195
196 setsebool -P authlogin_nsswitch_use_ldap 1
197
198
199
200 If you want to deny user domains applications to map a memory region as
201 both executable and writable, this is dangerous and the executable
202 should be reported in bugzilla, you must turn on the deny_execmem bool‐
203 ean. Enabled by default.
204
205 setsebool -P deny_execmem 1
206
207
208
209 If you want to deny any process from ptracing or debugging any other
210 processes, you must turn on the deny_ptrace boolean. Enabled by
211 default.
212
213 setsebool -P deny_ptrace 1
214
215
216
217 If you want to allow all domains to execute in fips_mode, you must turn
218 on the fips_mode boolean. Enabled by default.
219
220 setsebool -P fips_mode 1
221
222
223
224 If you want to allow httpd cgi support, you must turn on the
225 httpd_enable_cgi boolean. Enabled by default.
226
227 setsebool -P httpd_enable_cgi 1
228
229
230
231 If you want to allow confined applications to run with kerberos, you
232 must turn on the kerberos_enabled boolean. Enabled by default.
233
234 setsebool -P kerberos_enabled 1
235
236
237
238 If you want to allow system to run with NIS, you must turn on the
239 nis_enabled boolean. Disabled by default.
240
241 setsebool -P nis_enabled 1
242
243
244
245 If you want to allow confined applications to use nscd shared memory,
246 you must turn on the nscd_use_shm boolean. Enabled by default.
247
248 setsebool -P nscd_use_shm 1
249
250
251
252 If you want to allow unconfined executables to make their stack exe‐
253 cutable. This should never, ever be necessary. Probably indicates a
254 badly coded executable, but could indicate an attack. This executable
255 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
256 stack boolean. Enabled by default.
257
258 setsebool -P selinuxuser_execstack 1
259
260
261
262 If you want to allow user to r/w files on filesystems that do not have
263 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
264 uxuser_rw_noexattrfile boolean. Enabled by default.
265
266 setsebool -P selinuxuser_rw_noexattrfile 1
267
268
269
270 If you want to allow user to use ssh chroot environment, you must turn
271 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
272
273 setsebool -P selinuxuser_use_ssh_chroot 1
274
275
276
277 If you want to support NFS home directories, you must turn on the
278 use_nfs_home_dirs boolean. Disabled by default.
279
280 setsebool -P use_nfs_home_dirs 1
281
282
283
284 If you want to support SAMBA home directories, you must turn on the
285 use_samba_home_dirs boolean. Disabled by default.
286
287 setsebool -P use_samba_home_dirs 1
288
289
290
292 The SELinux user xguest_u is able execute home content files.
293
294
296 Three things can happen when xguest_t attempts to execute a program.
297
298 1. SELinux Policy can deny xguest_t from executing the program.
299
300
301
302 2. SELinux Policy can allow xguest_t to execute the program in the cur‐
303 rent user type.
304
305 Execute the following to see the types that the SELinux user
306 xguest_t can execute without transitioning:
307
308 sesearch -A -s xguest_t -c file -p execute_no_trans
309
310
311
312 3. SELinux can allow xguest_t to execute the program and transition to
313 a new type.
314
315 Execute the following to see the types that the SELinux user
316 xguest_t can execute and transition:
317
318 $ sesearch -A -s xguest_t -c process -p transition
319
320
321
323 The SELinux process type xguest_t can manage files labeled with the
324 following file types. The paths listed are the default paths for these
325 file types. Note the processes UID still need to have DAC permissions.
326
327 alsa_home_t
328
329 /home/[^/]+/.asoundrc
330
331 anon_inodefs_t
332
333
334 auth_cache_t
335
336 /var/cache/coolkey(/.*)?
337
338 chrome_sandbox_tmpfs_t
339
340
341 cifs_t
342
343
344 dosfs_t
345
346
347 gconf_tmp_t
348
349 /tmp/gconfd-[^/]+/.*
350
351 gkeyringd_tmp_t
352
353 /var/run/user/[^/]*/keyring.*
354
355 gnome_home_type
356
357
358 httpd_user_content_t
359
360 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
361
362 httpd_user_htaccess_t
363
364 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
365
366 httpd_user_ra_content_t
367
368 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
369
370 httpd_user_rw_content_t
371
372
373 httpd_user_script_exec_t
374
375 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
376
377 nfs_t
378
379
380 noxattrfs
381
382 all files on file systems which do not support extended attributes
383
384 pulseaudio_tmpfs_t
385
386
387 pulseaudio_tmpfsfile
388
389
390 usbfs_t
391
392
393 user_fonts_cache_t
394
395 /root/.fontconfig(/.*)?
396 /root/.fonts/auto(/.*)?
397 /root/.fonts.cache-.*
398 /home/[^/]+/.fontconfig(/.*)?
399 /home/[^/]+/.fonts/auto(/.*)?
400 /home/[^/]+/.fonts.cache-.*
401
402 user_home_type
403
404 all user home files
405
406 user_tmp_t
407
408 /dev/shm/mono.*
409 /var/run/user(/.*)?
410 /tmp/.ICE-unix(/.*)?
411 /tmp/.X11-unix(/.*)?
412 /dev/shm/pulse-shm.*
413 /tmp/.X0-lock
414 /tmp/hsperfdata_root
415 /var/tmp/hsperfdata_root
416 /home/[^/]+/tmp
417 /home/[^/]+/.tmp
418 /tmp/gconfd-[^/]+
419
420 user_tmp_type
421
422 all user tmp files
423
424 xserver_tmpfs_t
425
426
427
429 semanage fcontext can also be used to manipulate default file context
430 mappings.
431
432 semanage permissive can also be used to manipulate whether or not a
433 process type is permissive.
434
435 semanage module can also be used to enable/disable/install/remove pol‐
436 icy modules.
437
438 semanage boolean can also be used to manipulate the booleans
439
440
441 system-config-selinux is a GUI tool available to customize SELinux pol‐
442 icy settings.
443
444
446 This manual page was auto-generated using sepolicy manpage .
447
448
450 selinux(8), xguest(8), semanage(8), restorecon(8), chcon(1), sepol‐
451 icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
452 xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
453
454
455
456mgrepl@redhat.com xguest xguest_selinux(8)