1xguest_selinux(8)     xguest SELinux Policy documentation    xguest_selinux(8)
2
3
4

NAME

6       xguest_u  -  Least  privileged  xwindows user role. - Security Enhanced
7       Linux Policy
8
9

DESCRIPTION

11       xguest_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  xguest_r.  The default role has a default
13       type, xguest_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       xguest_u:xguest_r:xguest_t:s0
19
20       Linux  users are automatically assigned an SELinux users at login.  Lo‐
21       gin programs use the SELinux User to  assign  initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are assigned to the SELinux user via the __de‐
27       fault__ flag
28
29       On Targeted policy systems the __default__ user is assigned to the  un‐
30       confined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the xguest_u
37       user, you would execute:
38
39       semanage login -m -s xguest_u __default__
40
41
42       If you want to map the one Linux user (joe) to the SELinux user xguest,
43       you would execute:
44
45       $ semanage login -a -s xguest_u joe
46
47
48

USER DESCRIPTION

50       The  SELinux user xguest_u is defined in policy as a unprivileged user.
51       SELinux prevents unprivileged users  from  doing  administration  tasks
52       without transitioning to a different role.
53
54

SUDO

X WINDOWS LOGIN
57       The SELinux user xguest_u is able to X Windows login.
58
59

NETWORK
61       The SELinux user xguest_u is able to listen on the following tcp ports.
62
63              1716
64
65
66       The  SELinux  user  xguest_u  is  able  to connect to the following tcp
67       ports.
68
69              53,853
70
71              8955
72
73              4713
74
75              4331,5001
76
77              80,81,443,488,8008,8009,8443,9000
78
79              8080,8118,8123,10001-10010
80
81              3128,3401,4827
82
83              843,1935
84
85              21,989,990
86
87              631,8610-8614
88
89              32768-60999
90
91              all ports without defined types
92
93              8000,9433,16001
94
95              8036
96
97              8081
98
99              9080
100
101              88,750,4444
102
103
104       The SELinux user xguest_u is able  to  connect  to  the  following  tcp
105       ports.
106
107              53,853
108
109              8955
110
111              4713
112
113              4331,5001
114
115              80,81,443,488,8008,8009,8443,9000
116
117              8080,8118,8123,10001-10010
118
119              3128,3401,4827
120
121              843,1935
122
123              21,989,990
124
125              631,8610-8614
126
127              32768-60999
128
129              all ports without defined types
130
131              8000,9433,16001
132
133              8036
134
135              8081
136
137              9080
138
139              88,750,4444
140
141

BOOLEANS
143       SELinux  policy is customizable based on least access required.  xguest
144       policy is extremely flexible and has several booleans that allow you to
145       manipulate the policy and run xguest with the tightest access possible.
146
147
148
149       If you want to allow xguest users to configure Network Manager and con‐
150       nect to apache ports, you must turn on the xguest_connect_network bool‐
151       ean. Enabled by default.
152
153       setsebool -P xguest_connect_network 1
154
155
156
157       If  you  want  to allow xguest users to mount removable media, you must
158       turn on the xguest_mount_media boolean. Enabled by default.
159
160       setsebool -P xguest_mount_media 1
161
162
163
164       If you want to allow xguest to use blue tooth devices, you must turn on
165       the xguest_use_bluetooth boolean. Enabled by default.
166
167       setsebool -P xguest_use_bluetooth 1
168
169
170
171       If  you  want to deny all system processes and Linux users to use blue‐
172       tooth wireless technology, you must turn on the deny_bluetooth boolean.
173       Disabled by default.
174
175       setsebool -P deny_bluetooth 1
176
177
178
179       If you want to deny user domains applications to map a memory region as
180       both executable and writable, this  is  dangerous  and  the  executable
181       should be reported in bugzilla, you must turn on the deny_execmem bool‐
182       ean. Disabled by default.
183
184       setsebool -P deny_execmem 1
185
186
187
188       If you want to deny any process from ptracing or  debugging  any  other
189       processes,  you  must  turn on the deny_ptrace boolean. Disabled by de‐
190       fault.
191
192       setsebool -P deny_ptrace 1
193
194
195
196       If you want to allow all domains to execute in fips_mode, you must turn
197       on the fips_mode boolean. Enabled by default.
198
199       setsebool -P fips_mode 1
200
201
202
203       If  you want to allow httpd cgi support, you must turn on the httpd_en‐
204       able_cgi boolean. Enabled by default.
205
206       setsebool -P httpd_enable_cgi 1
207
208
209
210       If you want to unify HTTPD handling of all content files, you must turn
211       on the httpd_unified boolean. Disabled by default.
212
213       setsebool -P httpd_unified 1
214
215
216
217       If  you  want to allow confined applications to use nscd shared memory,
218       you must turn on the nscd_use_shm boolean. Enabled by default.
219
220       setsebool -P nscd_use_shm 1
221
222
223
224       If you want to allow unconfined executables to make  their  stack  exe‐
225       cutable.   This  should  never, ever be necessary. Probably indicates a
226       badly coded executable, but could indicate an attack.  This  executable
227       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
228       stack boolean. Enabled by default.
229
230       setsebool -P selinuxuser_execstack 1
231
232
233
234       If you want to allow user to r/w files on filesystems that do not  have
235       extended  attributes  (FAT, CDROM, FLOPPY), you must turn on the selin‐
236       uxuser_rw_noexattrfile boolean. Enabled by default.
237
238       setsebool -P selinuxuser_rw_noexattrfile 1
239
240
241
242       If you want to allow user  to use ssh chroot environment, you must turn
243       on the selinuxuser_use_ssh_chroot boolean. Disabled by default.
244
245       setsebool -P selinuxuser_use_ssh_chroot 1
246
247
248
249       If  you  want  to  support  NFS  home directories, you must turn on the
250       use_nfs_home_dirs boolean. Disabled by default.
251
252       setsebool -P use_nfs_home_dirs 1
253
254
255
256       If you want to support SAMBA home directories, you  must  turn  on  the
257       use_samba_home_dirs boolean. Disabled by default.
258
259       setsebool -P use_samba_home_dirs 1
260
261
262

HOME_EXEC
264       The SELinux user xguest_u is able execute home content files.
265
266

TRANSITIONS
268       Three things can happen when xguest_t attempts to execute a program.
269
270       1. SELinux Policy can deny xguest_t from executing the program.
271
272
273
274       2. SELinux Policy can allow xguest_t to execute the program in the cur‐
275       rent user type.
276
277              Execute the following to see the types  that  the  SELinux  user
278              xguest_t can execute without transitioning:
279
280              sesearch -A -s xguest_t -c file -p execute_no_trans
281
282
283
284       3.  SELinux can allow xguest_t to execute the program and transition to
285       a new type.
286
287              Execute the following to see the types  that  the  SELinux  user
288              xguest_t can execute and transition:
289
290              $ sesearch -A -s xguest_t -c process -p transition
291
292
293

MANAGED FILES
295       The  SELinux  process  type  xguest_t can manage files labeled with the
296       following file types.  The paths listed are the default paths for these
297       file types.  Note the processes UID still need to have DAC permissions.
298
299       alsa_home_t
300
301            /home/[^/]+/.asoundrc
302
303       auth_cache_t
304
305            /var/cache/coolkey(/.*)?
306
307       chrome_sandbox_tmpfs_t
308
309
310       gconf_tmp_t
311
312            /tmp/gconfd-[^/]+/.*
313
314       httpd_user_content_t
315
316            /home/[^/]+/((www)|(web)|(public_html))(/.+)?
317
318       httpd_user_htaccess_t
319
320            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/.htaccess
321
322       httpd_user_ra_content_t
323
324            /home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
325
326       httpd_user_rw_content_t
327
328
329       httpd_user_script_exec_t
330
331            /home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?
332
333       noxattrfs
334
335            all files on file systems which do not support extended attributes
336
337       pulseaudio_tmpfs_t
338
339
340       pulseaudio_tmpfsfile
341
342
343       session_dbusd_tmp_t
344
345            /var/run/user/[0-9]+/bus
346            /var/run/user/[0-9]+/dbus(/.*)?
347            /var/run/user/[0-9]+/dbus-1(/.*)?
348
349       usbfs_t
350
351
352       user_fonts_cache_t
353
354            /root/.fontconfig(/.*)?
355            /root/.fonts/auto(/.*)?
356            /root/.fonts.cache-.*
357            /root/.cache/fontconfig(/.*)?
358            /home/[^/]+/.fontconfig(/.*)?
359            /home/[^/]+/.fonts/auto(/.*)?
360            /home/[^/]+/.fonts.cache-.*
361            /home/[^/]+/.cache/fontconfig(/.*)?
362
363       user_home_type
364
365            all user home files
366
367       user_tmp_t
368
369            /dev/shm/mono.*
370            /var/run/user/[^/]+
371            /tmp/.ICE-unix(/.*)?
372            /tmp/.X11-unix(/.*)?
373            /dev/shm/pulse-shm.*
374            /tmp/.X0-lock
375            /var/run/user
376            /tmp/hsperfdata_root
377            /var/tmp/hsperfdata_root
378            /home/[^/]+/tmp
379            /home/[^/]+/.tmp
380            /var/run/user/[0-9]+
381            /tmp/gconfd-[^/]+
382
383       user_tmp_type
384
385            all user tmp files
386
387       xserver_tmpfs_t
388
389
390

COMMANDS
392       semanage  fcontext  can also be used to manipulate default file context
393       mappings.
394
395       semanage permissive can also be used to manipulate  whether  or  not  a
396       process type is permissive.
397
398       semanage  module can also be used to enable/disable/install/remove pol‐
399       icy modules.
400
401       semanage boolean can also be used to manipulate the booleans
402
403
404       system-config-selinux is a GUI tool available to customize SELinux pol‐
405       icy settings.
406
407

AUTHOR
409       This manual page was auto-generated using sepolicy manpage .
410
411

SEE ALSO
413       selinux(8),  xguest(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
414       icy(8), setsebool(8), xguest_dbusd_selinux(8), xguest_dbusd_selinux(8),
415       xguest_gkeyringd_selinux(8), xguest_gkeyringd_selinux(8)
416
417
418
419mgrepl@redhat.com                   xguest                   xguest_selinux(8)



        

    


            
        

        

            Impressum