1xguest_selinux(8) xguest SELinux Policy documentation xguest_selinux(8)
2
3
4
6 xguest_u - Least privileged xwindows user role. - Security Enhanced
7 Linux Policy
8
9
11 xguest_u is an SELinux User defined in the SELinux policy. SELinux
12 users have default roles, xguest_r. The default role has a default
13 type, xguest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 xguest_u:xguest_r:xguest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login.
21 Login programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the
27 __default__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the
30 unconfined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the xguest_u
37 user, you would execute:
38
39 semanage login -m -s xguest_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user xguest,
43 you would execute:
44
45 $ semanage login -a -s xguest_u joe
46
47
48
50 The SELinux user xguest_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
57 The SELinux user xguest_u is able to X Windows login.
58
59
61 The SELinux user xguest_u is able to connect to the following tcp
62 ports.
63
64 53,853
65
66 8955
67
68 4713
69
70 4331,5001
71
72 80,81,443,488,8008,8009,8443,9000
73
74 8080,8118,8123,10001-10010
75
76 3128,3401,4827
77
78 843,1935
79
80 21,989,990
81
82 631,8610-8614
83
84 32768-60999
85
86 all ports without defined types
87
88 8000,9433,16001
89
90 8036
91
92 8081
93
94 9080
95
96 88,750,4444
97
98
99 The SELinux user xguest_u is able to connect to the following tcp
100 ports.
101
102 53,853
103
104 8955
105
106 4713
107
108 4331,5001
109
110 80,81,443,488,8008,8009,8443,9000
111
112 8080,8118,8123,10001-10010
113
114 3128,3401,4827
115
116 843,1935
117
118 21,989,990
119
120 631,8610-8614
121
122 32768-60999
123
124 all ports without defined types
125
126 8000,9433,16001
127
128 8036
129
130 8081
131
132 9080
133
134 88,750,4444
135
136
138 SELinux policy is customizable based on least access required. xguest
139 policy is extremely flexible and has several booleans that allow you to
140 manipulate the policy and run xguest with the tightest access possible.
141
142
143
144 If you want to allow xguest users to configure Network Manager and con‐
145 nect to apache ports, you must turn on the xguest_connect_network bool‐
146 ean. Enabled by default.
147
148 setsebool -P xguest_connect_network 1
149
150
151
152 If you want to allow xguest users to mount removable media, you must
153 turn on the xguest_mount_media boolean. Enabled by default.
154
155 setsebool -P xguest_mount_media 1
156
157
158
159 If you want to allow xguest to use blue tooth devices, you must turn on
160 the xguest_use_bluetooth boolean. Enabled by default.
161
162 setsebool -P xguest_use_bluetooth 1
163
164
165
166 If you want to deny user domains applications to map a memory region as
167 both executable and writable, this is dangerous and the executable
168 should be reported in bugzilla, you must turn on the deny_execmem bool‐
169 ean. Enabled by default.
170
171 setsebool -P deny_execmem 1
172
173
174
175 If you want to deny any process from ptracing or debugging any other
176 processes, you must turn on the deny_ptrace boolean. Enabled by
177 default.
178
179 setsebool -P deny_ptrace 1
180
181
182
183 If you want to allow all domains to execute in fips_mode, you must turn
184 on the fips_mode boolean. Enabled by default.
185
186 setsebool -P fips_mode 1
187
188
189
190 If you want to allow httpd cgi support, you must turn on the
191 httpd_enable_cgi boolean. Enabled by default.
192
193 setsebool -P httpd_enable_cgi 1
194
195
196
197 If you want to allow confined applications to use nscd shared memory,
198 you must turn on the nscd_use_shm boolean. Disabled by default.
199
200 setsebool -P nscd_use_shm 1
201
202
203
204 If you want to allow unconfined executables to make their stack exe‐
205 cutable. This should never, ever be necessary. Probably indicates a
206 badly coded executable, but could indicate an attack. This executable
207 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
208 stack boolean. Disabled by default.
209
210 setsebool -P selinuxuser_execstack 1
211
212
213
214 If you want to allow user to r/w files on filesystems that do not have
215 extended attributes (FAT, CDROM, FLOPPY), you must turn on the selin‐
216 uxuser_rw_noexattrfile boolean. Enabled by default.
217
218 setsebool -P selinuxuser_rw_noexattrfile 1
219
220
221
222 If you want to allow user to use ssh chroot environment, you must turn
223 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
224
225 setsebool -P selinuxuser_use_ssh_chroot 1
226
227
228
229 If you want to support NFS home directories, you must turn on the
230 use_nfs_home_dirs boolean. Enabled by default.
231
232 setsebool -P use_nfs_home_dirs 1
233
234
235
236 If you want to support SAMBA home directories, you must turn on the
237 use_samba_home_dirs boolean. Disabled by default.
238
239 setsebool -P use_samba_home_dirs 1
240
241
242
244 The SELinux user xguest_u is able execute home content files.
245
246
248 Three things can happen when xguest_t attempts to execute a program.
249
250 1. SELinux Policy can deny xguest_t from executing the program.
251
252
253
254 2. SELinux Policy can allow xguest_t to execute the program in the cur‐
255 rent user type.
256
257 Execute the following to see the types that the SELinux user
258 xguest_t can execute without transitioning:
259
260 sesearch -A -s xguest_t -c file -p execute_no_trans
261
262
263
264 3. SELinux can allow xguest_t to execute the program and transition to
265 a new type.
266
267 Execute the following to see the types that the SELinux user
268 xguest_t can execute and transition:
269
270 $ sesearch -A -s xguest_t -c process -p transition
271
272
273
275 The SELinux process type xguest_t can manage files labeled with the
276 following file types. The paths listed are the default paths for these
277 file types. Note the processes UID still need to have DAC permissions.
278
279 alsa_home_t
280
281 /home/[^/]+/.asoundrc
282
283 anon_inodefs_t
284
285
286 auth_cache_t
287
288 /var/cache/coolkey(/.*)?
289
290 chrome_sandbox_tmpfs_t
291
292
293 httpd_user_content_t
294
295 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
296
297 httpd_user_htaccess_t
298
299 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
300
301 httpd_user_ra_content_t
302
303 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
304
305 httpd_user_rw_content_t
306
307
308 httpd_user_script_exec_t
309
310 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
311
312 noxattrfs
313
314 all files on file systems which do not support extended attributes
315
316 pulseaudio_tmpfsfile
317
318
319 usbfs_t
320
321
322 user_fonts_cache_t
323
324 /root/.fontconfig(/.*)?
325 /root/.fonts/auto(/.*)?
326 /root/.fonts.cache-.*
327 /root/.cache/fontconfig(/.*)?
328 /home/[^/]+/.fontconfig(/.*)?
329 /home/[^/]+/.fonts/auto(/.*)?
330 /home/[^/]+/.fonts.cache-.*
331 /home/[^/]+/.cache/fontconfig(/.*)?
332
333 user_home_type
334
335 all user home files
336
337
339 semanage fcontext can also be used to manipulate default file context
340 mappings.
341
342 semanage permissive can also be used to manipulate whether or not a
343 process type is permissive.
344
345 semanage module can also be used to enable/disable/install/remove pol‐
346 icy modules.
347
348 semanage boolean can also be used to manipulate the booleans
349
350
351 system-config-selinux is a GUI tool available to customize SELinux pol‐
352 icy settings.
353
354
356 This manual page was auto-generated using sepolicy manpage .
357
358
360 selinux(8), xguest(8), semanage(8), restorecon(8), chcon(1), sepol‐
361 icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
362 xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
363
364
365
366mgrepl@redhat.com xguest xguest_selinux(8)