1guest_selinux(8)      guest SELinux Policy documentation      guest_selinux(8)
2
3
4

NAME

6       guest_u  -  Least  privileged  terminal  user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       guest_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  guest_r.   The  default role has a default type,
13       guest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       guest_u:guest_r:guest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the guest_u
37       user, you would execute:
38
39       semanage login -m -s guest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  guest,
43       you would execute:
44
45       $ semanage login -a -s guest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user guest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN
57       The SELinux user guest_u is not able to X Windows login.
58
59

NETWORK
61       The SELinux user guest_u is able to listen on the following tcp ports.
62
63              32768-60999
64
65              all ports with out defined types
66
67
68       The SELinux user guest_u is able to connect to the following tcp ports.
69
70              8955
71
72              53,853
73
74              9080
75
76              88,750,4444
77
78              389,636,3268,3269,7389
79
80              32768-60999
81
82              all ports with out defined types
83
84              111
85
86              all ports < 1024
87
88
89       The SELinux user guest_u is able to listen on the following udp ports.
90
91              32768-60999
92
93              all ports with out defined types
94
95
96       The SELinux user guest_u is able to connect to the following tcp ports.
97
98              8955
99
100              53,853
101
102              9080
103
104              88,750,4444
105
106              389,636,3268,3269,7389
107
108              32768-60999
109
110              all ports with out defined types
111
112              111
113
114              all ports < 1024
115
116

BOOLEANS
118       SELinux  policy  is customizable based on least access required.  guest
119       policy is extremely flexible and has several booleans that allow you to
120       manipulate the policy and run guest with the tightest access possible.
121
122
123
124       If you want to allow users to resolve user passwd entries directly from
125       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
126       gin_nsswitch_use_ldap boolean. Disabled by default.
127
128       setsebool -P authlogin_nsswitch_use_ldap 1
129
130
131
132       If you want to deny user domains applications to map a memory region as
133       both executable and writable, this  is  dangerous  and  the  executable
134       should be reported in bugzilla, you must turn on the deny_execmem bool‐
135       ean. Enabled by default.
136
137       setsebool -P deny_execmem 1
138
139
140
141       If you want to allow all domains to execute in fips_mode, you must turn
142       on the fips_mode boolean. Enabled by default.
143
144       setsebool -P fips_mode 1
145
146
147
148       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
149       httpd_enable_cgi boolean. Enabled by default.
150
151       setsebool -P httpd_enable_cgi 1
152
153
154
155       If you want to allow confined applications to run  with  kerberos,  you
156       must turn on the kerberos_enabled boolean. Enabled by default.
157
158       setsebool -P kerberos_enabled 1
159
160
161
162       If  you  want  to  allow  system  to run with NIS, you must turn on the
163       nis_enabled boolean. Disabled by default.
164
165       setsebool -P nis_enabled 1
166
167
168
169       If you want to allow confined applications to use nscd  shared  memory,
170       you must turn on the nscd_use_shm boolean. Disabled by default.
171
172       setsebool -P nscd_use_shm 1
173
174
175
176       If  you  want  to allow unconfined executables to make their stack exe‐
177       cutable.  This should never, ever be necessary.  Probably  indicates  a
178       badly  coded  executable, but could indicate an attack. This executable
179       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
180       stack boolean. Enabled by default.
181
182       setsebool -P selinuxuser_execstack 1
183
184
185
186       If you want to allow user  to use ssh chroot environment, you must turn
187       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
188
189       setsebool -P selinuxuser_use_ssh_chroot 1
190
191
192
193       If you want to support NFS home  directories,  you  must  turn  on  the
194       use_nfs_home_dirs boolean. Disabled by default.
195
196       setsebool -P use_nfs_home_dirs 1
197
198
199
200       If  you  want  to  support SAMBA home directories, you must turn on the
201       use_samba_home_dirs boolean. Disabled by default.
202
203       setsebool -P use_samba_home_dirs 1
204
205
206

HOME_EXEC
208       The SELinux user guest_u is able execute home content files.
209
210

TRANSITIONS
212       Three things can happen when guest_t attempts to execute a program.
213
214       1. SELinux Policy can deny guest_t from executing the program.
215
216
217
218       2. SELinux Policy can allow guest_t to execute the program in the  cur‐
219       rent user type.
220
221              Execute  the  following  to  see the types that the SELinux user
222              guest_t can execute without transitioning:
223
224              sesearch -A -s guest_t -c file -p execute_no_trans
225
226
227
228       3. SELinux can allow guest_t to execute the program and transition to a
229       new type.
230
231              Execute  the  following  to  see the types that the SELinux user
232              guest_t can execute and transition:
233
234              $ sesearch -A -s guest_t -c process -p transition
235
236
237

MANAGED FILES
239       The SELinux process type guest_t can manage files labeled with the fol‐
240       lowing  file  types.   The paths listed are the default paths for these
241       file types.  Note the processes UID still need to have DAC permissions.
242
243       alsa_home_t
244
245            /home/[^/]+/.asoundrc
246
247       anon_inodefs_t
248
249
250       auth_cache_t
251
252            /var/cache/coolkey(/.*)?
253
254       cifs_t
255
256
257       httpd_user_content_t
258
259            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
260
261       httpd_user_htaccess_t
262
263            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
264
265       httpd_user_ra_content_t
266
267            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
268
269       httpd_user_rw_content_t
270
271
272       httpd_user_script_exec_t
273
274            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
275
276       nfs_t
277
278
279       user_home_type
280
281            all user home files
282
283       user_tmp_type
284
285            all user tmp files
286
287

COMMANDS
289       semanage fcontext can also be used to manipulate default  file  context
290       mappings.
291
292       semanage  permissive  can  also  be used to manipulate whether or not a
293       process type is permissive.
294
295       semanage module can also be used to enable/disable/install/remove  pol‐
296       icy modules.
297
298       semanage boolean can also be used to manipulate the booleans
299
300
301       system-config-selinux is a GUI tool available to customize SELinux pol‐
302       icy settings.
303
304

AUTHOR
306       This manual page was auto-generated using sepolicy manpage .
307
308

SEE ALSO
310       selinux(8),  guest(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
311       icy(8), setsebool(8)
312
313
314
315mgrepl@redhat.com                    guest                    guest_selinux(8)



        

    


            
        

        

            Impressum