1xguest_selinux(8) xguest SELinux Policy documentation xguest_selinux(8)
2
3
4
6 xguest_u - Least privileged xwindows user role. - Security Enhanced
7 Linux Policy
8
9
11 xguest_u is an SELinux User defined in the SELinux policy. SELinux
12 users have default roles, xguest_r. The default role has a default
13 type, xguest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 xguest_u:xguest_r:xguest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the xguest_u
37 user, you would execute:
38
39 semanage login -m -s xguest_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user xguest,
43 you would execute:
44
45 $ semanage login -a -s xguest_u joe
46
47
48
50 The SELinux user xguest_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
57 The SELinux user xguest_u is able to X Windows login.
58
59
61 The SELinux user xguest_u is able to connect to the following tcp
62 ports.
63
64 53,853
65
66 8955
67
68 4713
69
70 4331,5001
71
72 80,81,443,488,8008,8009,8443,9000
73
74 8080,8118,8123,10001-10010
75
76 3128,3401,4827
77
78 843,1935
79
80 21,989,990
81
82 631,8610-8614
83
84 32768-60999
85
86 all ports with out defined types
87
88 8000,9433,16001
89
90 8036
91
92 8081
93
94 88,750,4444
95
96 9080
97
98
99 The SELinux user xguest_u is able to connect to the following tcp
100 ports.
101
102 53,853
103
104 8955
105
106 4713
107
108 4331,5001
109
110 80,81,443,488,8008,8009,8443,9000
111
112 8080,8118,8123,10001-10010
113
114 3128,3401,4827
115
116 843,1935
117
118 21,989,990
119
120 631,8610-8614
121
122 32768-60999
123
124 all ports with out defined types
125
126 8000,9433,16001
127
128 8036
129
130 8081
131
132 88,750,4444
133
134 9080
135
136
138 SELinux policy is customizable based on least access required. xguest
139 policy is extremely flexible and has several booleans that allow you to
140 manipulate the policy and run xguest with the tightest access possible.
141
142
143
144 If you want to allow xguest users to configure Network Manager and con‐
145 nect to apache ports, you must turn on the xguest_connect_network bool‐
146 ean. Enabled by default.
147
148 setsebool -P xguest_connect_network 1
149
150
151
152 If you want to allow xguest users to mount removable media, you must
153 turn on the xguest_mount_media boolean. Enabled by default.
154
155 setsebool -P xguest_mount_media 1
156
157
158
159 If you want to allow xguest to use blue tooth devices, you must turn on
160 the xguest_use_bluetooth boolean. Enabled by default.
161
162 setsebool -P xguest_use_bluetooth 1
163
164
165
166 If you want to deny user domains applications to map a memory region as
167 both executable and writable, this is dangerous and the executable
168 should be reported in bugzilla, you must turn on the deny_execmem bool‐
169 ean. Enabled by default.
170
171 setsebool -P deny_execmem 1
172
173
174
175 If you want to deny any process from ptracing or debugging any other
176 processes, you must turn on the deny_ptrace boolean. Enabled by
177 default.
178
179 setsebool -P deny_ptrace 1
180
181
182
183 If you want to allow all domains to execute in fips_mode, you must turn
184 on the fips_mode boolean. Enabled by default.
185
186 setsebool -P fips_mode 1
187
188
189
190 If you want to allow httpd cgi support, you must turn on the
191 httpd_enable_cgi boolean. Enabled by default.
192
193 setsebool -P httpd_enable_cgi 1
194
195
196
197 If you want to allow confined applications to run with kerberos, you
198 must turn on the kerberos_enabled boolean. Disabled by default.
199
200 setsebool -P kerberos_enabled 1
201
202
203
204 If you want to allow confined applications to use nscd shared memory,
205 you must turn on the nscd_use_shm boolean. Disabled by default.
206
207 setsebool -P nscd_use_shm 1
208
209
210
211 If you want to allow unconfined executables to make their stack exe‐
212 cutable. This should never, ever be necessary. Probably indicates a
213 badly coded executable, but could indicate an attack. This executable
214 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
215 stack boolean. Disabled by default.
216
217 setsebool -P selinuxuser_execstack 1
218
219
220
221 If you want to allow user to r/w files on filesystems that do not have
222 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
223 uxuser_rw_noexattrfile boolean. Disabled by default.
224
225 setsebool -P selinuxuser_rw_noexattrfile 1
226
227
228
229 If you want to allow user to use ssh chroot environment, you must turn
230 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
231
232 setsebool -P selinuxuser_use_ssh_chroot 1
233
234
235
236 If you want to support NFS home directories, you must turn on the
237 use_nfs_home_dirs boolean. Enabled by default.
238
239 setsebool -P use_nfs_home_dirs 1
240
241
242
243 If you want to support SAMBA home directories, you must turn on the
244 use_samba_home_dirs boolean. Disabled by default.
245
246 setsebool -P use_samba_home_dirs 1
247
248
249
251 The SELinux user xguest_u is able execute home content files.
252
253
255 Three things can happen when xguest_t attempts to execute a program.
256
257 1. SELinux Policy can deny xguest_t from executing the program.
258
259
260
261 2. SELinux Policy can allow xguest_t to execute the program in the cur‐
262 rent user type.
263
264 Execute the following to see the types that the SELinux user
265 xguest_t can execute without transitioning:
266
267 sesearch -A -s xguest_t -c file -p execute_no_trans
268
269
270
271 3. SELinux can allow xguest_t to execute the program and transition to
272 a new type.
273
274 Execute the following to see the types that the SELinux user
275 xguest_t can execute and transition:
276
277 $ sesearch -A -s xguest_t -c process -p transition
278
279
280
282 The SELinux process type xguest_t can manage files labeled with the
283 following file types. The paths listed are the default paths for these
284 file types. Note the processes UID still need to have DAC permissions.
285
286 alsa_home_t
287
288 /home/[^/]+/.asoundrc
289
290 anon_inodefs_t
291
292
293 auth_cache_t
294
295 /var/cache/coolkey(/.*)?
296
297 chrome_sandbox_tmpfs_t
298
299
300 cifs_t
301
302
303 dosfs_t
304
305
306 gconf_tmp_t
307
308 /tmp/gconfd-[^/]+/.*
309
310 gkeyringd_tmp_t
311
312 /var/run/user/[^/]*/keyring.*
313
314 gnome_home_type
315
316
317 httpd_user_content_t
318
319 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
320
321 httpd_user_htaccess_t
322
323 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
324
325 httpd_user_ra_content_t
326
327 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
328
329 httpd_user_rw_content_t
330
331
332 httpd_user_script_exec_t
333
334 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
335
336 nfs_t
337
338
339 noxattrfs
340
341 all files on file systems which do not support extended attributes
342
343 pulseaudio_tmpfs_t
344
345
346 pulseaudio_tmpfsfile
347
348
349 session_dbusd_tmp_t
350
351 /var/run/user(/.*)?/dbus-[0-9]*(/.*)?
352 /var/run/user/[^/]*/systemd(/.*)?
353
354 usbfs_t
355
356
357 user_fonts_cache_t
358
359 /root/.fontconfig(/.*)?
360 /root/.fonts/auto(/.*)?
361 /root/.fonts.cache-.*
362 /root/.cache/fontconfig(/.*)?
363 /home/[^/]+/.fontconfig(/.*)?
364 /home/[^/]+/.fonts/auto(/.*)?
365 /home/[^/]+/.fonts.cache-.*
366 /home/[^/]+/.cache/fontconfig(/.*)?
367
368 user_home_type
369
370 all user home files
371
372 user_tmp_t
373
374 /dev/shm/mono.*
375 /var/run/user(/.*)?
376 /tmp/.ICE-unix(/.*)?
377 /tmp/.X11-unix(/.*)?
378 /dev/shm/pulse-shm.*
379 /tmp/.X0-lock
380 /tmp/hsperfdata_root
381 /var/tmp/hsperfdata_root
382 /home/[^/]+/tmp
383 /home/[^/]+/.tmp
384 /tmp/gconfd-[^/]+
385
386 user_tmp_type
387
388 all user tmp files
389
390 xserver_tmpfs_t
391
392
393
395 semanage fcontext can also be used to manipulate default file context
396 mappings.
397
398 semanage permissive can also be used to manipulate whether or not a
399 process type is permissive.
400
401 semanage module can also be used to enable/disable/install/remove pol‐
402 icy modules.
403
404 semanage boolean can also be used to manipulate the booleans
405
406
407 system-config-selinux is a GUI tool available to customize SELinux pol‐
408 icy settings.
409
410
412 This manual page was auto-generated using sepolicy manpage .
413
414
416 selinux(8), xguest(8), semanage(8), restorecon(8), chcon(1), sepol‐
417 icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
418 xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
419
420
421
422mgrepl@redhat.com xguest xguest_selinux(8)