1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u  -  Least  privileged  xwindows user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       xguest_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  xguest_r.  The default role has a default
13       type, xguest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       xguest_u:xguest_r:xguest_t:s0
19
20       Linux  users are automatically assigned an SELinux users at login.  Lo‐
21       gin programs use the SELinux User to  assign  initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are assigned to the SELinux user via the __de‐
27       fault__ flag
28
29       On Targeted policy systems the __default__ user is assigned to the  un‐
30       confined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the xguest_u
37       user, you would execute:
38
39       semanage login -m -s xguest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user xguest,
43       you would execute:
44
45       $ semanage login -a -s xguest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux user xguest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN

57       The SELinux user xguest_u is able to X Windows login.
58
59

NETWORK

61       The SELinux user xguest_u is able to listen on the following tcp ports.
62
63              1716
64
65
66       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
67       ports.
68
69              53,853
70
71              8955
72
73              4713
74
75              4331,5001
76
77              80,81,443,488,8008,8009,8443,9000
78
79              8080,8118,8123,10001-10010
80
81              3128,3401,4827
82
83              843,1935
84
85              21,989,990
86
87              631,8610-8614
88
89              32768-60999
90
91              all ports without defined types
92
93              8000,9433,16001
94
95              8036
96
97              8081
98
99              9080
100
101              88,750,4444
102
103
104       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
105       ports.
106
107              53,853
108
109              8955
110
111              4713
112
113              4331,5001
114
115              80,81,443,488,8008,8009,8443,9000
116
117              8080,8118,8123,10001-10010
118
119              3128,3401,4827
120
121              843,1935
122
123              21,989,990
124
125              631,8610-8614
126
127              32768-60999
128
129              all ports without defined types
130
131              8000,9433,16001
132
133              8036
134
135              8081
136
137              9080
138
139              88,750,4444
140
141

BOOLEANS

143       SELinux  policy is customizable based on least access required.  xguest
144       policy is extremely flexible and has several booleans that allow you to
145       manipulate the policy and run xguest with the tightest access possible.
146
147
148
149       If you want to allow xguest users to configure Network Manager and con‐
150       nect to apache ports, you must turn on the xguest_connect_network bool‐
151       ean. Enabled by default.
152
153       setsebool -P xguest_connect_network 1
154
155
156
157       If  you  want  to allow xguest users to mount removable media, you must
158       turn on the xguest_mount_media boolean. Enabled by default.
159
160       setsebool -P xguest_mount_media 1
161
162
163
164       If you want to allow xguest to use blue tooth devices, you must turn on
165       the xguest_use_bluetooth boolean. Enabled by default.
166
167       setsebool -P xguest_use_bluetooth 1
168
169
170
171       If  you  want to deny all system processes and Linux users to use blue‐
172       tooth wireless technology, you must turn on the deny_bluetooth boolean.
173       Enabled by default.
174
175       setsebool -P deny_bluetooth 1
176
177
178
179       If you want to deny user domains applications to map a memory region as
180       both executable and writable, this  is  dangerous  and  the  executable
181       should be reported in bugzilla, you must turn on the deny_execmem bool‐
182       ean. Enabled by default.
183
184       setsebool -P deny_execmem 1
185
186
187
188       If you want to deny any process from ptracing or  debugging  any  other
189       processes,  you  must  turn  on the deny_ptrace boolean. Enabled by de‐
190       fault.
191
192       setsebool -P deny_ptrace 1
193
194
195
196       If you want to allow all domains to execute in fips_mode, you must turn
197       on the fips_mode boolean. Enabled by default.
198
199       setsebool -P fips_mode 1
200
201
202
203       If  you want to allow httpd cgi support, you must turn on the httpd_en‐
204       able_cgi boolean. Enabled by default.
205
206       setsebool -P httpd_enable_cgi 1
207
208
209
210       If you want to allow confined applications to use nscd  shared  memory,
211       you must turn on the nscd_use_shm boolean. Enabled by default.
212
213       setsebool -P nscd_use_shm 1
214
215
216
217       If  you  want  to allow unconfined executables to make their stack exe‐
218       cutable.  This should never, ever be necessary.  Probably  indicates  a
219       badly  coded  executable, but could indicate an attack. This executable
220       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
221       stack boolean. Enabled by default.
222
223       setsebool -P selinuxuser_execstack 1
224
225
226
227       If  you want to allow user to r/w files on filesystems that do not have
228       extended attributes (FAT, CDROM, FLOPPY), you must turn on  the  selin‐
229       uxuser_rw_noexattrfile boolean. Disabled by default.
230
231       setsebool -P selinuxuser_rw_noexattrfile 1
232
233
234
235       If you want to allow user  to use ssh chroot environment, you must turn
236       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
237
238       setsebool -P selinuxuser_use_ssh_chroot 1
239
240
241
242       If you want to support NFS home  directories,  you  must  turn  on  the
243       use_nfs_home_dirs boolean. Disabled by default.
244
245       setsebool -P use_nfs_home_dirs 1
246
247
248
249       If  you  want  to  support SAMBA home directories, you must turn on the
250       use_samba_home_dirs boolean. Disabled by default.
251
252       setsebool -P use_samba_home_dirs 1
253
254
255

HOME_EXEC

257       The SELinux user xguest_u is able execute home content files.
258
259

TRANSITIONS

261       Three things can happen when xguest_t attempts to execute a program.
262
263       1. SELinux Policy can deny xguest_t from executing the program.
264
265
266
267       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
268       rent user type.
269
270              Execute  the  following  to  see the types that the SELinux user
271              xguest_t can execute without transitioning:
272
273              sesearch -A -s xguest_t -c file -p execute_no_trans
274
275
276
277       3. SELinux can allow xguest_t to execute the program and transition  to
278       a new type.
279
280              Execute  the  following  to  see the types that the SELinux user
281              xguest_t can execute and transition:
282
283              $ sesearch -A -s xguest_t -c process -p transition
284
285
286

MANAGED FILES

288       The SELinux process type xguest_t can manage  files  labeled  with  the
289       following file types.  The paths listed are the default paths for these
290       file types.  Note the processes UID still need to have DAC permissions.
291
292       alsa_home_t
293
294            /home/[^/]+/.asoundrc
295
296       auth_cache_t
297
298            /var/cache/coolkey(/.*)?
299
300       chrome_sandbox_tmpfs_t
301
302
303       gconf_tmp_t
304
305            /tmp/gconfd-[^/]+/.*
306
307       httpd_user_content_t
308
309            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
310
311       httpd_user_htaccess_t
312
313            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
314
315       httpd_user_ra_content_t
316
317            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
318
319       httpd_user_rw_content_t
320
321
322       httpd_user_script_exec_t
323
324            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
325
326       noxattrfs
327
328            all files on file systems which do not support extended attributes
329
330       pulseaudio_tmpfs_t
331
332
333       pulseaudio_tmpfsfile
334
335
336       session_dbusd_tmp_t
337
338            /var/run/user/[0-9]+/dbus(/.*)?
339
340       usbfs_t
341
342
343       user_fonts_cache_t
344
345            /root/.fontconfig(/.*)?
346            /root/.fonts/auto(/.*)?
347            /root/.fonts.cache-.*
348            /root/.cache/fontconfig(/.*)?
349            /home/[^/]+/.fontconfig(/.*)?
350            /home/[^/]+/.fonts/auto(/.*)?
351            /home/[^/]+/.fonts.cache-.*
352            /home/[^/]+/.cache/fontconfig(/.*)?
353
354       user_home_type
355
356            all user home files
357
358       user_tmp_t
359
360            /dev/shm/mono.*
361            /var/run/user(/.*)?
362            /tmp/.ICE-unix(/.*)?
363            /tmp/.X11-unix(/.*)?
364            /dev/shm/pulse-shm.*
365            /tmp/.X0-lock
366            /tmp/hsperfdata_root
367            /var/tmp/hsperfdata_root
368            /home/[^/]+/tmp
369            /home/[^/]+/.tmp
370            /tmp/gconfd-[^/]+
371
372       user_tmp_type
373
374            all user tmp files
375
376       xserver_tmpfs_t
377
378
379

COMMANDS

381       semanage fcontext can also be used to manipulate default  file  context
382       mappings.
383
384       semanage  permissive  can  also  be used to manipulate whether or not a
385       process type is permissive.
386
387       semanage module can also be used to enable/disable/install/remove  pol‐
388       icy modules.
389
390       semanage boolean can also be used to manipulate the booleans
391
392
393       system-config-selinux is a GUI tool available to customize SELinux pol‐
394       icy settings.
395
396

AUTHOR

398       This manual page was auto-generated using sepolicy manpage .
399
400

SEE ALSO

402       selinux(8), xguest(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
403       icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
404       xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
405
406
407
408mgrepl@redhat.com                   xguest                   xguest_selinux(8)
Impressum