xguest_selinux(8)

1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u  -  Least  privileged  xwindows user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       xguest_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  xguest_r.  The default role has a default
13       type, xguest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       xguest_u:xguest_r:xguest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the xguest_u
37       user, you would execute:
38
39       semanage login -m -s xguest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user xguest,
43       you would execute:
44
45       $ semanage login -a -s xguest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux user xguest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN

57       The SELinux user xguest_u is able to X Windows login.
58
59

NETWORK

61       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
62       ports.
63
64              53,853
65
66              8955
67
68              8080,8118,8123,10001-10010
69
70              8036
71
72              all ports with out defined types
73
74              9080
75
76              8000,9433,16001
77
78              4713
79
80              8081
81
82              32768-60999
83
84              21,989,990
85
86              80,81,443,488,8008,8009,8443,9000
87
88              88,750,4444
89
90              3128,3401,4827
91
92              4331,5001
93
94              843,1935
95
96              631,8610-8614
97
98
99       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
100       ports.
101
102              53,853
103
104              8955
105
106              8080,8118,8123,10001-10010
107
108              8036
109
110              all ports with out defined types
111
112              9080
113
114              8000,9433,16001
115
116              4713
117
118              8081
119
120              32768-60999
121
122              21,989,990
123
124              80,81,443,488,8008,8009,8443,9000
125
126              88,750,4444
127
128              3128,3401,4827
129
130              4331,5001
131
132              843,1935
133
134              631,8610-8614
135
136

BOOLEANS

138       SELinux  policy is customizable based on least access required.  xguest
139       policy is extremely flexible and has several booleans that allow you to
140       manipulate the policy and run xguest with the tightest access possible.
141
142
143
144       If you want to allow xguest users to configure Network Manager and con‐
145       nect to apache ports, you must turn on the xguest_connect_network bool‐
146       ean. Enabled by default.
147
148       setsebool -P xguest_connect_network 1
149
150
151
152       If  you  want  to allow xguest users to mount removable media, you must
153       turn on the xguest_mount_media boolean. Enabled by default.
154
155       setsebool -P xguest_mount_media 1
156
157
158
159       If you want to allow xguest to use blue tooth devices, you must turn on
160       the xguest_use_bluetooth boolean. Enabled by default.
161
162       setsebool -P xguest_use_bluetooth 1
163
164
165
166       If you want to deny user domains applications to map a memory region as
167       both executable and writable, this  is  dangerous  and  the  executable
168       should be reported in bugzilla, you must turn on the deny_execmem bool‐
169       ean. Enabled by default.
170
171       setsebool -P deny_execmem 1
172
173
174
175       If you want to deny any process from ptracing or  debugging  any  other
176       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
177       default.
178
179       setsebool -P deny_ptrace 1
180
181
182
183       If you want to allow all domains to execute in fips_mode, you must turn
184       on the fips_mode boolean. Enabled by default.
185
186       setsebool -P fips_mode 1
187
188
189
190       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
191       httpd_enable_cgi boolean. Enabled by default.
192
193       setsebool -P httpd_enable_cgi 1
194
195
196
197       If you want to allow confined applications to run  with  kerberos,  you
198       must turn on the kerberos_enabled boolean. Enabled by default.
199
200       setsebool -P kerberos_enabled 1
201
202
203
204       If  you  want to allow confined applications to use nscd shared memory,
205       you must turn on the nscd_use_shm boolean. Enabled by default.
206
207       setsebool -P nscd_use_shm 1
208
209
210
211       If you want to allow unconfined executables to make  their  stack  exe‐
212       cutable.   This  should  never, ever be necessary. Probably indicates a
213       badly coded executable, but could indicate an attack.  This  executable
214       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
215       stack boolean. Enabled by default.
216
217       setsebool -P selinuxuser_execstack 1
218
219
220
221       If you want to allow user to r/w files on filesystems that do not  have
222       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
223       uxuser_rw_noexattrfile boolean. Enabled by default.
224
225       setsebool -P selinuxuser_rw_noexattrfile 1
226
227
228
229       If you want to allow user  to use ssh chroot environment, you must turn
230       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
231
232       setsebool -P selinuxuser_use_ssh_chroot 1
233
234
235
236       If  you  want  to  support  NFS  home directories, you must turn on the
237       use_nfs_home_dirs boolean. Disabled by default.
238
239       setsebool -P use_nfs_home_dirs 1
240
241
242
243       If you want to support SAMBA home directories, you  must  turn  on  the
244       use_samba_home_dirs boolean. Disabled by default.
245
246       setsebool -P use_samba_home_dirs 1
247
248
249

HOME_EXEC

251       The SELinux user xguest_u is able execute home content files.
252
253

TRANSITIONS

255       Three things can happen when xguest_t attempts to execute a program.
256
257       1. SELinux Policy can deny xguest_t from executing the program.
258
259
260
261       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
262       rent user type.
263
264              Execute the following to see the types  that  the  SELinux  user
265              xguest_t can execute without transitioning:
266
267              sesearch -A -s xguest_t -c file -p execute_no_trans
268
269
270
271       3.  SELinux can allow xguest_t to execute the program and transition to
272       a new type.
273
274              Execute the following to see the types  that  the  SELinux  user
275              xguest_t can execute and transition:
276
277              $ sesearch -A -s xguest_t -c process -p transition
278
279
280

MANAGED FILES

282       The  SELinux  process  type  xguest_t can manage files labeled with the
283       following file types.  The paths listed are the default paths for these
284       file types.  Note the processes UID still need to have DAC permissions.
285
286       alsa_home_t
287
288            /home/[^/]+/.asoundrc
289
290       anon_inodefs_t
291
292
293       auth_cache_t
294
295            /var/cache/coolkey(/.*)?
296
297       chrome_sandbox_tmpfs_t
298
299
300       cifs_t
301
302
303       dosfs_t
304
305
306       gconf_tmp_t
307
308            /tmp/gconfd-[^/]+/.*
309
310       gkeyringd_tmp_t
311
312            /var/run/user/[^/]*/keyring.*
313
314       gnome_home_type
315
316
317       httpd_user_content_t
318
319            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
320
321       httpd_user_htaccess_t
322
323            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
324
325       httpd_user_ra_content_t
326
327            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
328
329       httpd_user_rw_content_t
330
331
332       httpd_user_script_exec_t
333
334            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
335
336       nfs_t
337
338
339       noxattrfs
340
341            all files on file systems which do not support extended attributes
342
343       pulseaudio_tmpfs_t
344
345
346       pulseaudio_tmpfsfile
347
348
349       usbfs_t
350
351
352       user_fonts_cache_t
353
354            /root/.fontconfig(/.*)?
355            /root/.fonts/auto(/.*)?
356            /root/.fonts.cache-.*
357            /root/.cache/fontconfig(/.*)?
358            /home/[^/]+/.fontconfig(/.*)?
359            /home/[^/]+/.fonts/auto(/.*)?
360            /home/[^/]+/.fonts.cache-.*
361            /home/[^/]+/.cache/fontconfig(/.*)?
362
363       user_home_type
364
365            all user home files
366
367       user_tmp_t
368
369            /dev/shm/mono.*
370            /var/run/user(/.*)?
371            /tmp/.ICE-unix(/.*)?
372            /tmp/.X11-unix(/.*)?
373            /dev/shm/pulse-shm.*
374            /tmp/.X0-lock
375            /tmp/hsperfdata_root
376            /var/tmp/hsperfdata_root
377            /home/[^/]+/tmp
378            /home/[^/]+/.tmp
379            /tmp/gconfd-[^/]+
380
381       user_tmp_type
382
383            all user tmp files
384
385       xserver_tmpfs_t
386
387
388

COMMANDS

390       semanage  fcontext  can also be used to manipulate default file context
391       mappings.
392
393       semanage permissive can also be used to manipulate  whether  or  not  a
394       process type is permissive.
395
396       semanage  module can also be used to enable/disable/install/remove pol‐
397       icy modules.
398
399       semanage boolean can also be used to manipulate the booleans
400
401
402       system-config-selinux is a GUI tool available to customize SELinux pol‐
403       icy settings.
404
405

AUTHOR

407       This manual page was auto-generated using sepolicy manpage .
408
409