1guest_selinux(8)      guest SELinux Policy documentation      guest_selinux(8)
2
3
4

NAME

6       guest_u  -  Least  privileged  terminal  user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       guest_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  guest_r.   The  default role has a default type,
13       guest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       guest_u:guest_r:guest_t:s0
19
20       Linux  users are automatically assigned an SELinux users at login.  Lo‐
21       gin programs use the SELinux User to  assign  initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are assigned to the SELinux user via the __de‐
27       fault__ flag
28
29       On Targeted policy systems the __default__ user is assigned to the  un‐
30       confined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the guest_u
37       user, you would execute:
38
39       semanage login -m -s guest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  guest,
43       you would execute:
44
45       $ semanage login -a -s guest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user guest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN

57       The SELinux user guest_u is not able to X Windows login.
58
59

NETWORK

61       The SELinux user guest_u is able to listen on the following tcp ports.
62
63              1716
64
65
66       The SELinux user guest_u is able to connect to the following tcp ports.
67
68              9080
69
70              88,750,4444
71
72
73       The SELinux user guest_u is able to connect to the following tcp ports.
74
75              9080
76
77              88,750,4444
78
79

BOOLEANS

81       SELinux  policy  is customizable based on least access required.  guest
82       policy is extremely flexible and has several booleans that allow you to
83       manipulate the policy and run guest with the tightest access possible.
84
85
86
87       If  you  want to deny all system processes and Linux users to use blue‐
88       tooth wireless technology, you must turn on the deny_bluetooth boolean.
89       Enabled by default.
90
91       setsebool -P deny_bluetooth 1
92
93
94
95       If you want to deny user domains applications to map a memory region as
96       both executable and writable, this  is  dangerous  and  the  executable
97       should be reported in bugzilla, you must turn on the deny_execmem bool‐
98       ean. Enabled by default.
99
100       setsebool -P deny_execmem 1
101
102
103
104       If you want to allow all domains to execute in fips_mode, you must turn
105       on the fips_mode boolean. Enabled by default.
106
107       setsebool -P fips_mode 1
108
109
110
111       If  you want to allow httpd cgi support, you must turn on the httpd_en‐
112       able_cgi boolean. Enabled by default.
113
114       setsebool -P httpd_enable_cgi 1
115
116
117
118       If you want to allow confined applications to run  with  kerberos,  you
119       must turn on the kerberos_enabled boolean. Enabled by default.
120
121       setsebool -P kerberos_enabled 1
122
123
124
125       If  you  want  to allow unconfined executables to make their stack exe‐
126       cutable.  This should never, ever be necessary.  Probably  indicates  a
127       badly  coded  executable, but could indicate an attack. This executable
128       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
129       stack boolean. Enabled by default.
130
131       setsebool -P selinuxuser_execstack 1
132
133
134
135       If you want to allow user  to use ssh chroot environment, you must turn
136       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
137
138       setsebool -P selinuxuser_use_ssh_chroot 1
139
140
141
142       If you want to support NFS home  directories,  you  must  turn  on  the
143       use_nfs_home_dirs boolean. Disabled by default.
144
145       setsebool -P use_nfs_home_dirs 1
146
147
148
149       If  you  want  to  support SAMBA home directories, you must turn on the
150       use_samba_home_dirs boolean. Disabled by default.
151
152       setsebool -P use_samba_home_dirs 1
153
154
155

HOME_EXEC

157       The SELinux user guest_u is able execute home content files.
158
159

TRANSITIONS

161       Three things can happen when guest_t attempts to execute a program.
162
163       1. SELinux Policy can deny guest_t from executing the program.
164
165
166
167       2. SELinux Policy can allow guest_t to execute the program in the  cur‐
168       rent user type.
169
170              Execute  the  following  to  see the types that the SELinux user
171              guest_t can execute without transitioning:
172
173              sesearch -A -s guest_t -c file -p execute_no_trans
174
175
176
177       3. SELinux can allow guest_t to execute the program and transition to a
178       new type.
179
180              Execute  the  following  to  see the types that the SELinux user
181              guest_t can execute and transition:
182
183              $ sesearch -A -s guest_t -c process -p transition
184
185
186

MANAGED FILES

188       The SELinux process type guest_t can manage files labeled with the fol‐
189       lowing  file  types.   The paths listed are the default paths for these
190       file types.  Note the processes UID still need to have DAC permissions.
191
192       alsa_home_t
193
194            /home/[^/]+/.asoundrc
195
196       auth_cache_t
197
198            /var/cache/coolkey(/.*)?
199
200       cifs_t
201
202
203       httpd_user_content_t
204
205            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
206
207       httpd_user_htaccess_t
208
209            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
210
211       httpd_user_ra_content_t
212
213            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
214
215       httpd_user_rw_content_t
216
217
218       httpd_user_script_exec_t
219
220            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
221
222       nfs_t
223
224
225       pkcs_slotd_tmpfs_t
226
227            /dev/shm/var.lib.opencryptoki.*
228
229       user_home_type
230
231            all user home files
232
233       user_tmp_type
234
235            all user tmp files
236
237

COMMANDS

239       semanage fcontext can also be used to manipulate default  file  context
240       mappings.
241
242       semanage  permissive  can  also  be used to manipulate whether or not a
243       process type is permissive.
244
245       semanage module can also be used to enable/disable/install/remove  pol‐
246       icy modules.
247
248       semanage boolean can also be used to manipulate the booleans
249
250
251       system-config-selinux is a GUI tool available to customize SELinux pol‐
252       icy settings.
253
254

AUTHOR

256       This manual page was auto-generated using sepolicy manpage .
257
258

SEE ALSO

260       selinux(8),  guest(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
261       icy(8), setsebool(8)
262
263
264
265mgrepl@redhat.com                    guest                    guest_selinux(8)
Impressum