1guest_selinux(8)      guest SELinux Policy documentation      guest_selinux(8)
2
3
4

NAME

6       guest_u  -  Least  privileged  terminal  user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       guest_u is an SELinux User defined in the SELinux policy. SELinux users
12       have  default  roles,  guest_r.   The  default role has a default type,
13       guest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       guest_u:guest_r:guest_t:s0
19
20       Linux  users are automatically assigned an SELinux users at login.  Lo‐
21       gin programs use the SELinux User to  assign  initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are assigned to the SELinux user via the __de‐
27       fault__ flag
28
29       On Targeted policy systems the __default__ user is assigned to the  un‐
30       confined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to  change the default user mapping to use the guest_u
37       user, you would execute:
38
39       semanage login -m -s guest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user  guest,
43       you would execute:
44
45       $ semanage login -a -s guest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux  user guest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN
57       The SELinux user guest_u is not able to X Windows login.
58
59

NETWORK
61       The SELinux user guest_u is able to listen on the following tcp ports.
62
63              1716
64
65
66       The SELinux user guest_u is able to connect to the following tcp ports.
67
68              9080
69
70              88,750,4444
71
72
73       The SELinux user guest_u is able to connect to the following tcp ports.
74
75              9080
76
77              88,750,4444
78
79

BOOLEANS
81       SELinux  policy  is customizable based on least access required.  guest
82       policy is extremely flexible and has several booleans that allow you to
83       manipulate the policy and run guest with the tightest access possible.
84
85
86
87       If  you  want to deny all system processes and Linux users to use blue‐
88       tooth wireless technology, you must turn on the deny_bluetooth boolean.
89       Disabled by default.
90
91       setsebool -P deny_bluetooth 1
92
93
94
95       If you want to deny user domains applications to map a memory region as
96       both executable and writable, this  is  dangerous  and  the  executable
97       should be reported in bugzilla, you must turn on the deny_execmem bool‐
98       ean. Disabled by default.
99
100       setsebool -P deny_execmem 1
101
102
103
104       If you want to allow all domains to execute in fips_mode, you must turn
105       on the fips_mode boolean. Enabled by default.
106
107       setsebool -P fips_mode 1
108
109
110
111       If  you want to allow httpd cgi support, you must turn on the httpd_en‐
112       able_cgi boolean. Enabled by default.
113
114       setsebool -P httpd_enable_cgi 1
115
116
117
118       If you want to unify HTTPD handling of all content files, you must turn
119       on the httpd_unified boolean. Disabled by default.
120
121       setsebool -P httpd_unified 1
122
123
124
125       If  you  want  to allow confined applications to run with kerberos, you
126       must turn on the kerberos_enabled boolean. Enabled by default.
127
128       setsebool -P kerberos_enabled 1
129
130
131
132       If you want to allow unconfined executables to make  their  stack  exe‐
133       cutable.   This  should  never, ever be necessary. Probably indicates a
134       badly coded executable, but could indicate an attack.  This  executable
135       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
136       stack boolean. Enabled by default.
137
138       setsebool -P selinuxuser_execstack 1
139
140
141
142       If you want to allow user  to use ssh chroot environment, you must turn
143       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
144
145       setsebool -P selinuxuser_use_ssh_chroot 1
146
147
148
149       If  you  want  to  support  NFS  home directories, you must turn on the
150       use_nfs_home_dirs boolean. Disabled by default.
151
152       setsebool -P use_nfs_home_dirs 1
153
154
155
156       If you want to support SAMBA home directories, you  must  turn  on  the
157       use_samba_home_dirs boolean. Disabled by default.
158
159       setsebool -P use_samba_home_dirs 1
160
161
162

HOME_EXEC
164       The SELinux user guest_u is able execute home content files.
165
166

TRANSITIONS
168       Three things can happen when guest_t attempts to execute a program.
169
170       1. SELinux Policy can deny guest_t from executing the program.
171
172
173
174       2.  SELinux Policy can allow guest_t to execute the program in the cur‐
175       rent user type.
176
177              Execute the following to see the types  that  the  SELinux  user
178              guest_t can execute without transitioning:
179
180              sesearch -A -s guest_t -c file -p execute_no_trans
181
182
183
184       3. SELinux can allow guest_t to execute the program and transition to a
185       new type.
186
187              Execute the following to see the types  that  the  SELinux  user
188              guest_t can execute and transition:
189
190              $ sesearch -A -s guest_t -c process -p transition
191
192
193

MANAGED FILES
195       The SELinux process type guest_t can manage files labeled with the fol‐
196       lowing file types.  The paths listed are the default  paths  for  these
197       file types.  Note the processes UID still need to have DAC permissions.
198
199       alsa_home_t
200
201            /home/[^/]+/.asoundrc
202
203       auth_cache_t
204
205            /var/cache/coolkey(/.*)?
206
207       cifs_t
208
209
210       httpd_user_content_t
211
212            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
213
214       httpd_user_htaccess_t
215
216            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
217
218       httpd_user_ra_content_t
219
220            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
221
222       httpd_user_rw_content_t
223
224
225       httpd_user_script_exec_t
226
227            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
228
229       nfs_t
230
231
232       user_home_type
233
234            all user home files
235
236       user_tmp_type
237
238            all user tmp files
239
240

COMMANDS
242       semanage  fcontext  can also be used to manipulate default file context
243       mappings.
244
245       semanage permissive can also be used to manipulate  whether  or  not  a
246       process type is permissive.
247
248       semanage  module can also be used to enable/disable/install/remove pol‐
249       icy modules.
250
251       semanage boolean can also be used to manipulate the booleans
252
253
254       system-config-selinux is a GUI tool available to customize SELinux pol‐
255       icy settings.
256
257

AUTHOR
259       This manual page was auto-generated using sepolicy manpage .
260
261

SEE ALSO
263       selinux(8),  guest(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
264       icy(8), setsebool(8)
265
266
267
268mgrepl@redhat.com                    guest                    guest_selinux(8)



        

    


            
        

        

            Impressum