1guest_selinux(8) guest SELinux Policy documentation guest_selinux(8)
2
3
4
6 guest_u - Least privileged terminal user role. - Security Enhanced
7 Linux Policy
8
9
11 guest_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, guest_r. The default role has a default type,
13 guest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 guest_u:guest_r:guest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the guest_u
37 user, you would execute:
38
39 semanage login -m -s guest_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user guest,
43 you would execute:
44
45 $ semanage login -a -s guest_u joe
46
47
48
50 The SELinux user guest_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
57 The SELinux user guest_u is not able to X Windows login.
58
59
61 The SELinux user guest_u is able to connect to the following tcp ports.
62
63 9080
64
65 88,750,4444
66
67
68 The SELinux user guest_u is able to connect to the following tcp ports.
69
70 9080
71
72 88,750,4444
73
74
76 SELinux policy is customizable based on least access required. guest
77 policy is extremely flexible and has several booleans that allow you to
78 manipulate the policy and run guest with the tightest access possible.
79
80
81
82 If you want to deny user domains applications to map a memory region as
83 both executable and writable, this is dangerous and the executable
84 should be reported in bugzilla, you must turn on the deny_execmem bool‐
85 ean. Enabled by default.
86
87 setsebool -P deny_execmem 1
88
89
90
91 If you want to allow all domains to execute in fips_mode, you must turn
92 on the fips_mode boolean. Enabled by default.
93
94 setsebool -P fips_mode 1
95
96
97
98 If you want to allow httpd cgi support, you must turn on the
99 httpd_enable_cgi boolean. Enabled by default.
100
101 setsebool -P httpd_enable_cgi 1
102
103
104
105 If you want to allow confined applications to run with kerberos, you
106 must turn on the kerberos_enabled boolean. Enabled by default.
107
108 setsebool -P kerberos_enabled 1
109
110
111
112 If you want to allow unconfined executables to make their stack exe‐
113 cutable. This should never, ever be necessary. Probably indicates a
114 badly coded executable, but could indicate an attack. This executable
115 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
116 stack boolean. Enabled by default.
117
118 setsebool -P selinuxuser_execstack 1
119
120
121
122 If you want to allow user to use ssh chroot environment, you must turn
123 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
124
125 setsebool -P selinuxuser_use_ssh_chroot 1
126
127
128
129 If you want to support NFS home directories, you must turn on the
130 use_nfs_home_dirs boolean. Disabled by default.
131
132 setsebool -P use_nfs_home_dirs 1
133
134
135
136 If you want to support SAMBA home directories, you must turn on the
137 use_samba_home_dirs boolean. Disabled by default.
138
139 setsebool -P use_samba_home_dirs 1
140
141
142
144 The SELinux user guest_u is able execute home content files.
145
146
148 Three things can happen when guest_t attempts to execute a program.
149
150 1. SELinux Policy can deny guest_t from executing the program.
151
152
153
154 2. SELinux Policy can allow guest_t to execute the program in the cur‐
155 rent user type.
156
157 Execute the following to see the types that the SELinux user
158 guest_t can execute without transitioning:
159
160 sesearch -A -s guest_t -c file -p execute_no_trans
161
162
163
164 3. SELinux can allow guest_t to execute the program and transition to a
165 new type.
166
167 Execute the following to see the types that the SELinux user
168 guest_t can execute and transition:
169
170 $ sesearch -A -s guest_t -c process -p transition
171
172
173
175 The SELinux process type guest_t can manage files labeled with the fol‐
176 lowing file types. The paths listed are the default paths for these
177 file types. Note the processes UID still need to have DAC permissions.
178
179 alsa_home_t
180
181 /home/[^/]+/.asoundrc
182
183 anon_inodefs_t
184
185
186 auth_cache_t
187
188 /var/cache/coolkey(/.*)?
189
190 cifs_t
191
192
193 httpd_user_content_t
194
195 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
196
197 httpd_user_htaccess_t
198
199 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
200
201 httpd_user_ra_content_t
202
203 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
204
205 httpd_user_rw_content_t
206
207
208 httpd_user_script_exec_t
209
210 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
211
212 nfs_t
213
214
215 user_home_type
216
217 all user home files
218
219 user_tmp_type
220
221 all user tmp files
222
223
225 semanage fcontext can also be used to manipulate default file context
226 mappings.
227
228 semanage permissive can also be used to manipulate whether or not a
229 process type is permissive.
230
231 semanage module can also be used to enable/disable/install/remove pol‐
232 icy modules.
233
234 semanage boolean can also be used to manipulate the booleans
235
236
237 system-config-selinux is a GUI tool available to customize SELinux pol‐
238 icy settings.
239
240
242 This manual page was auto-generated using sepolicy manpage .
243
244
246 selinux(8), guest(8), semanage(8), restorecon(8), chcon(1), sepol‐
247 icy(8), setsebool(8)
248
249
250
251mgrepl@redhat.com guest guest_selinux(8)