1guest_selinux(8) guest SELinux Policy documentation guest_selinux(8)
2
3
4
6 guest_u - Least privileged terminal user role. - Security Enhanced
7 Linux Policy
8
9
11 guest_u is an SELinux User defined in the SELinux policy. SELinux users
12 have default roles, guest_r. The default role has a default type,
13 guest_t, associated with it.
14
15 The SELinux user will usually login to a system with a context that
16 looks like:
17
18 guest_u:guest_r:guest_t:s0
19
20 Linux users are automatically assigned an SELinux users at login. Lo‐
21 gin programs use the SELinux User to assign initial context to the
22 user's shell.
23
24 SELinux policy uses the context to control the user's access.
25
26 By default all users are assigned to the SELinux user via the __de‐
27 fault__ flag
28
29 On Targeted policy systems the __default__ user is assigned to the un‐
30 confined_u SELinux user.
31
32 You can list all Linux User to SELinux user mapping using:
33
34 semanage login -l
35
36 If you wanted to change the default user mapping to use the guest_u
37 user, you would execute:
38
39 semanage login -m -s guest_u __default__
40
41
42 If you want to map the one Linux user (joe) to the SELinux user guest,
43 you would execute:
44
45 $ semanage login -a -s guest_u joe
46
47
48
50 The SELinux user guest_u is defined in policy as a unprivileged user.
51 SELinux prevents unprivileged users from doing administration tasks
52 without transitioning to a different role.
53
54
57 The SELinux user guest_u is not able to X Windows login.
58
59
61 The SELinux user guest_u is able to listen on the following tcp ports.
62
63 1716
64
65
66 The SELinux user guest_u is able to connect to the following tcp ports.
67
68 9080
69
70 88,750,4444
71
72
73 The SELinux user guest_u is able to connect to the following tcp ports.
74
75 9080
76
77 88,750,4444
78
79
81 SELinux policy is customizable based on least access required. guest
82 policy is extremely flexible and has several booleans that allow you to
83 manipulate the policy and run guest with the tightest access possible.
84
85
86
87 If you want to deny all system processes and Linux users to use blue‐
88 tooth wireless technology, you must turn on the deny_bluetooth boolean.
89 Enabled by default.
90
91 setsebool -P deny_bluetooth 1
92
93
94
95 If you want to deny user domains applications to map a memory region as
96 both executable and writable, this is dangerous and the executable
97 should be reported in bugzilla, you must turn on the deny_execmem bool‐
98 ean. Enabled by default.
99
100 setsebool -P deny_execmem 1
101
102
103
104 If you want to allow all domains to execute in fips_mode, you must turn
105 on the fips_mode boolean. Enabled by default.
106
107 setsebool -P fips_mode 1
108
109
110
111 If you want to allow httpd cgi support, you must turn on the httpd_en‐
112 able_cgi boolean. Enabled by default.
113
114 setsebool -P httpd_enable_cgi 1
115
116
117
118 If you want to allow confined applications to run with kerberos, you
119 must turn on the kerberos_enabled boolean. Enabled by default.
120
121 setsebool -P kerberos_enabled 1
122
123
124
125 If you want to allow unconfined executables to make their stack exe‐
126 cutable. This should never, ever be necessary. Probably indicates a
127 badly coded executable, but could indicate an attack. This executable
128 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
129 stack boolean. Enabled by default.
130
131 setsebool -P selinuxuser_execstack 1
132
133
134
135 If you want to allow user to use ssh chroot environment, you must turn
136 on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
137
138 setsebool -P selinuxuser_use_ssh_chroot 1
139
140
141
142 If you want to support NFS home directories, you must turn on the
143 use_nfs_home_dirs boolean. Disabled by default.
144
145 setsebool -P use_nfs_home_dirs 1
146
147
148
149 If you want to support SAMBA home directories, you must turn on the
150 use_samba_home_dirs boolean. Disabled by default.
151
152 setsebool -P use_samba_home_dirs 1
153
154
155
157 The SELinux user guest_u is able execute home content files.
158
159
161 Three things can happen when guest_t attempts to execute a program.
162
163 1. SELinux Policy can deny guest_t from executing the program.
164
165
166
167 2. SELinux Policy can allow guest_t to execute the program in the cur‐
168 rent user type.
169
170 Execute the following to see the types that the SELinux user
171 guest_t can execute without transitioning:
172
173 sesearch -A -s guest_t -c file -p execute_no_trans
174
175
176
177 3. SELinux can allow guest_t to execute the program and transition to a
178 new type.
179
180 Execute the following to see the types that the SELinux user
181 guest_t can execute and transition:
182
183 $ sesearch -A -s guest_t -c process -p transition
184
185
186
188 The SELinux process type guest_t can manage files labeled with the fol‐
189 lowing file types. The paths listed are the default paths for these
190 file types. Note the processes UID still need to have DAC permissions.
191
192 alsa_home_t
193
194 /home/[^/]+/.asoundrc
195
196 auth_cache_t
197
198 /var/cache/coolkey(/.*)?
199
200 cifs_t
201
202
203 httpd_user_content_t
204
205 /home/[^/]+/((www)|(web)|(public_html))(/.+)?
206
207 httpd_user_htaccess_t
208
209 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
210
211 httpd_user_ra_content_t
212
213 /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
214
215 httpd_user_rw_content_t
216
217
218 httpd_user_script_exec_t
219
220 /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
221
222 nfs_t
223
224
225 user_home_type
226
227 all user home files
228
229 user_tmp_type
230
231 all user tmp files
232
233
235 semanage fcontext can also be used to manipulate default file context
236 mappings.
237
238 semanage permissive can also be used to manipulate whether or not a
239 process type is permissive.
240
241 semanage module can also be used to enable/disable/install/remove pol‐
242 icy modules.
243
244 semanage boolean can also be used to manipulate the booleans
245
246
247 system-config-selinux is a GUI tool available to customize SELinux pol‐
248 icy settings.
249
250
252 This manual page was auto-generated using sepolicy manpage .
253
254
256 selinux(8), guest(8), semanage(8), restorecon(8), chcon(1), sepol‐
257 icy(8), setsebool(8)
258
259
260
261mgrepl@redhat.com guest guest_selinux(8)