1guest_selinux(8) guest SELinux Policy documentation guest_selinux(8)
2
3
4
6 guest_u - Least privileged terminal user role. - Security Enhanced
7 Linux Policy
8
9
11 guest_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, guest_r. The default role has a default type,
13 guest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 guest_u:guest_r:guest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the guest_u
37 user, you would execute:
38
39 semanage login -m -s guest_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user guest,
43 you would execute:
44
45 $ semanage login -a -s guest_u joe
46
47
48
50 The SELinux user guest_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
57 The SELinux user guest_u is not able to X Windows login.
58
59
61 The SELinux user guest_u is able to listen on the following tcp ports.
62
63 32768-61000
64
65 all ports with out defined types
66
67
68 The SELinux user guest_u is able to connect to the following tcp ports.
69
70 8955
71
72 53,853
73
74 389,636,3268,3269,7389
75
76 111
77
78 all ports < 1024
79
80 32768-61000
81
82 all ports with out defined types
83
84 88,750,4444
85
86 9080
87
88
89 The SELinux user guest_u is able to listen on the following udp ports.
90
91 32768-61000
92
93 all ports with out defined types
94
95
96 The SELinux user guest_u is able to connect to the following tcp ports.
97
98 8955
99
100 53,853
101
102 389,636,3268,3269,7389
103
104 111
105
106 all ports < 1024
107
108 32768-61000
109
110 all ports with out defined types
111
112 88,750,4444
113
114 9080
115
116
118 SELinux policy is customizable based on least access required. guest
119 policy is extremely flexible and has several booleans that allow you to
120 manipulate the policy and run guest with the tightest access possible.
121
122
123
124 If you want to allow users to resolve user passwd entries directly from
125 ldap rather then using a sssd server, you must turn on the authlo‐
126 gin_nsswitch_use_ldap boolean. Disabled by default.
127
128 setsebool -P authlogin_nsswitch_use_ldap 1
129
130
131
132 If you want to deny user domains applications to map a memory region as
133 both executable and writable, this is dangerous and the executable
134 should be reported in bugzilla, you must turn on the deny_execmem bool‐
135 ean. Enabled by default.
136
137 setsebool -P deny_execmem 1
138
139
140
141 If you want to allow all domains to execute in fips_mode, you must turn
142 on the fips_mode boolean. Enabled by default.
143
144 setsebool -P fips_mode 1
145
146
147
148 If you want to allow httpd cgi support, you must turn on the
149 httpd_enable_cgi boolean. Enabled by default.
150
151 setsebool -P httpd_enable_cgi 1
152
153
154
155 If you want to allow confined applications to run with kerberos, you
156 must turn on the kerberos_enabled boolean. Enabled by default.
157
158 setsebool -P kerberos_enabled 1
159
160
161
162 If you want to allow system to run with NIS, you must turn on the
163 nis_enabled boolean. Disabled by default.
164
165 setsebool -P nis_enabled 1
166
167
168
169 If you want to allow confined applications to use nscd shared memory,
170 you must turn on the nscd_use_shm boolean. Enabled by default.
171
172 setsebool -P nscd_use_shm 1
173
174
175
176 If you want to allow unconfined executables to make their stack exe‐
177 cutable. This should never, ever be necessary. Probably indicates a
178 badly coded executable, but could indicate an attack. This executable
179 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
180 stack boolean. Enabled by default.
181
182 setsebool -P selinuxuser_execstack 1
183
184
185
186 If you want to allow user to use ssh chroot environment, you must turn
187 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
188
189 setsebool -P selinuxuser_use_ssh_chroot 1
190
191
192
193 If you want to support NFS home directories, you must turn on the
194 use_nfs_home_dirs boolean. Disabled by default.
195
196 setsebool -P use_nfs_home_dirs 1
197
198
199
200 If you want to support SAMBA home directories, you must turn on the
201 use_samba_home_dirs boolean. Disabled by default.
202
203 setsebool -P use_samba_home_dirs 1
204
205
206
208 The SELinux user guest_u is able execute home content files.
209
210
212 Three things can happen when guest_t attempts to execute a program.
213
214 1. SELinux Policy can deny guest_t from executing the program.
215
216
217
218 2. SELinux Policy can allow guest_t to execute the program in the cur‐
219 rent user type.
220
221 Execute the following to see the types that the SELinux user
222 guest_t can execute without transitioning:
223
224 sesearch -A -s guest_t -c file -p execute_no_trans
225
226
227
228 3. SELinux can allow guest_t to execute the program and transition to a
229 new type.
230
231 Execute the following to see the types that the SELinux user
232 guest_t can execute and transition:
233
234 $ sesearch -A -s guest_t -c process -p transition
235
236
237
239 The SELinux process type guest_t can manage files labeled with the fol‐
240 lowing file types. The paths listed are the default paths for these
241 file types. Note the processes UID still need to have DAC permissions.
242
243 alsa_home_t
244
245 /home/[^/]+/.asoundrc
246
247 anon_inodefs_t
248
249
250 auth_cache_t
251
252 /var/cache/coolkey(/.*)?
253
254 cifs_t
255
256
257 httpd_user_content_t
258
259 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
260
261 httpd_user_htaccess_t
262
263 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
264
265 httpd_user_ra_content_t
266
267 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
268
269 httpd_user_rw_content_t
270
271
272 httpd_user_script_exec_t
273
274 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
275
276 nfs_t
277
278
279 user_home_type
280
281 all user home files
282
283 user_tmp_type
284
285 all user tmp files
286
287
289 semanage fcontext can also be used to manipulate default file context
290 mappings.
291
292 semanage permissive can also be used to manipulate whether or not a
293 process type is permissive.
294
295 semanage module can also be used to enable/disable/install/remove pol‐
296 icy modules.
297
298 semanage boolean can also be used to manipulate the booleans
299
300
301 system-config-selinux is a GUI tool available to customize SELinux pol‐
302 icy settings.
303
304
306 This manual page was auto-generated using sepolicy manpage .
307
308
310 selinux(8), guest(8), semanage(8), restorecon(8), chcon(1), sepol‐
311 icy(8), setsebool(8)
312
313
314
315mgrepl@redhat.com guest guest_selinux(8)