1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u  -  Least  privileged  xwindows user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       xguest_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  xguest_r.  The default role has a default
13       type, xguest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       xguest_u:xguest_r:xguest_t:s0
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the xguest_u
37       user, you would execute:
38
39       semanage login -m -s xguest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user xguest,
43       you would execute:
44
45       $ semanage login -a -s xguest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux user xguest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN

57       The SELinux user xguest_u is able to X Windows login.
58
59

NETWORK

61       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
62       ports.
63
64              53,853
65
66              8955
67
68              4713
69
70              4331,5001
71
72              80,81,443,488,8008,8009,8443,9000
73
74              8080,8118,8123,10001-10010
75
76              3128,3401,4827
77
78              843,1935
79
80              21,989,990
81
82              631,8610-8614
83
84              32768-60999
85
86              all ports with out defined types
87
88              8000,9433,16001
89
90              8036
91
92              8081
93
94              88,750,4444
95
96              9080
97
98
99       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
100       ports.
101
102              53,853
103
104              8955
105
106              4713
107
108              4331,5001
109
110              80,81,443,488,8008,8009,8443,9000
111
112              8080,8118,8123,10001-10010
113
114              3128,3401,4827
115
116              843,1935
117
118              21,989,990
119
120              631,8610-8614
121
122              32768-60999
123
124              all ports with out defined types
125
126              8000,9433,16001
127
128              8036
129
130              8081
131
132              88,750,4444
133
134              9080
135
136

BOOLEANS

138       SELinux  policy is customizable based on least access required.  xguest
139       policy is extremely flexible and has several booleans that allow you to
140       manipulate the policy and run xguest with the tightest access possible.
141
142
143
144       If you want to allow xguest users to configure Network Manager and con‐
145       nect to apache ports, you must turn on the xguest_connect_network bool‐
146       ean. Enabled by default.
147
148       setsebool -P xguest_connect_network 1
149
150
151
152       If  you  want  to allow xguest users to mount removable media, you must
153       turn on the xguest_mount_media boolean. Enabled by default.
154
155       setsebool -P xguest_mount_media 1
156
157
158
159       If you want to allow xguest to use blue tooth devices, you must turn on
160       the xguest_use_bluetooth boolean. Enabled by default.
161
162       setsebool -P xguest_use_bluetooth 1
163
164
165
166       If you want to deny user domains applications to map a memory region as
167       both executable and writable, this  is  dangerous  and  the  executable
168       should be reported in bugzilla, you must turn on the deny_execmem bool‐
169       ean. Enabled by default.
170
171       setsebool -P deny_execmem 1
172
173
174
175       If you want to deny any process from ptracing or  debugging  any  other
176       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
177       default.
178
179       setsebool -P deny_ptrace 1
180
181
182
183       If you want to allow all domains to execute in fips_mode, you must turn
184       on the fips_mode boolean. Enabled by default.
185
186       setsebool -P fips_mode 1
187
188
189
190       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
191       httpd_enable_cgi boolean. Enabled by default.
192
193       setsebool -P httpd_enable_cgi 1
194
195
196
197       If you want to allow confined applications to run  with  kerberos,  you
198       must turn on the kerberos_enabled boolean. Disabled by default.
199
200       setsebool -P kerberos_enabled 1
201
202
203
204       If  you  want to allow confined applications to use nscd shared memory,
205       you must turn on the nscd_use_shm boolean. Disabled by default.
206
207       setsebool -P nscd_use_shm 1
208
209
210
211       If you want to allow unconfined executables to make  their  stack  exe‐
212       cutable.   This  should  never, ever be necessary. Probably indicates a
213       badly coded executable, but could indicate an attack.  This  executable
214       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
215       stack boolean. Disabled by default.
216
217       setsebool -P selinuxuser_execstack 1
218
219
220
221       If you want to allow user to r/w files on filesystems that do not  have
222       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
223       uxuser_rw_noexattrfile boolean. Disabled by default.
224
225       setsebool -P selinuxuser_rw_noexattrfile 1
226
227
228
229       If you want to allow user  to use ssh chroot environment, you must turn
230       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
231
232       setsebool -P selinuxuser_use_ssh_chroot 1
233
234
235
236       If  you  want  to  support  NFS  home directories, you must turn on the
237       use_nfs_home_dirs boolean. Enabled by default.
238
239       setsebool -P use_nfs_home_dirs 1
240
241
242
243       If you want to support SAMBA home directories, you  must  turn  on  the
244       use_samba_home_dirs boolean. Disabled by default.
245
246       setsebool -P use_samba_home_dirs 1
247
248
249

HOME_EXEC

251       The SELinux user xguest_u is able execute home content files.
252
253

TRANSITIONS

255       Three things can happen when xguest_t attempts to execute a program.
256
257       1. SELinux Policy can deny xguest_t from executing the program.
258
259
260
261       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
262       rent user type.
263
264              Execute the following to see the types  that  the  SELinux  user
265              xguest_t can execute without transitioning:
266
267              sesearch -A -s xguest_t -c file -p execute_no_trans
268
269
270
271       3.  SELinux can allow xguest_t to execute the program and transition to
272       a new type.
273
274              Execute the following to see the types  that  the  SELinux  user
275              xguest_t can execute and transition:
276
277              $ sesearch -A -s xguest_t -c process -p transition
278
279
280

MANAGED FILES

282       The  SELinux  process  type  xguest_t can manage files labeled with the
283       following file types.  The paths listed are the default paths for these
284       file types.  Note the processes UID still need to have DAC permissions.
285
286       alsa_home_t
287
288            /home/[^/]+/.asoundrc
289
290       anon_inodefs_t
291
292
293       auth_cache_t
294
295            /var/cache/coolkey(/.*)?
296
297       chrome_sandbox_tmpfs_t
298
299
300       cifs_t
301
302
303       dosfs_t
304
305
306       gconf_tmp_t
307
308            /tmp/gconfd-[^/]+/.*
309
310       gkeyringd_tmp_t
311
312            /var/run/user/[^/]*/keyring.*
313
314       gnome_home_type
315
316
317       httpd_user_content_t
318
319            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
320
321       httpd_user_htaccess_t
322
323            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
324
325       httpd_user_ra_content_t
326
327            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
328
329       httpd_user_rw_content_t
330
331
332       httpd_user_script_exec_t
333
334            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
335
336       nfs_t
337
338
339       noxattrfs
340
341            all files on file systems which do not support extended attributes
342
343       pulseaudio_tmpfs_t
344
345
346       pulseaudio_tmpfsfile
347
348
349       session_dbusd_tmp_t
350
351            /var/run/user(/.*)?/dbus-[0-9]*(/.*)?
352            /var/run/user/[^/]*/systemd(/.*)?
353
354       usbfs_t
355
356
357       user_fonts_cache_t
358
359            /root/.fontconfig(/.*)?
360            /root/.fonts/auto(/.*)?
361            /root/.fonts.cache-.*
362            /root/.cache/fontconfig(/.*)?
363            /home/[^/]+/.fontconfig(/.*)?
364            /home/[^/]+/.fonts/auto(/.*)?
365            /home/[^/]+/.fonts.cache-.*
366            /home/[^/]+/.cache/fontconfig(/.*)?
367
368       user_home_type
369
370            all user home files
371
372       user_tmp_t
373
374            /dev/shm/mono.*
375            /var/run/user(/.*)?
376            /tmp/.ICE-unix(/.*)?
377            /tmp/.X11-unix(/.*)?
378            /dev/shm/pulse-shm.*
379            /tmp/.X0-lock
380            /tmp/hsperfdata_root
381            /var/tmp/hsperfdata_root
382            /home/[^/]+/tmp
383            /home/[^/]+/.tmp
384            /tmp/gconfd-[^/]+
385
386       user_tmp_type
387
388            all user tmp files
389
390       xserver_tmpfs_t
391
392
393

COMMANDS

395       semanage  fcontext  can also be used to manipulate default file context
396       mappings.
397
398       semanage permissive can also be used to manipulate  whether  or  not  a
399       process type is permissive.
400
401       semanage  module can also be used to enable/disable/install/remove pol‐
402       icy modules.
403
404       semanage boolean can also be used to manipulate the booleans
405
406
407       system-config-selinux is a GUI tool available to customize SELinux pol‐
408       icy settings.
409
410

AUTHOR

412       This manual page was auto-generated using sepolicy manpage .
413
414

SEE ALSO

416       selinux(8),  xguest(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
417       icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
418       xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
419
420
421
422mgrepl@redhat.com                   xguest                   xguest_selinux(8)
Impressum