Hi,
In the "Confined and Unconfined Users" section[1], the confined user
table states that guest_u, xguest_t etc. can not execute applications in
~/ or /tmp. I have changed the "no"'s and "yes"'s to "optional", with a
link to the following section that appears at the end of the "Confining
Users" chapter[2]:
Booleans for Users Executing Applications
By default, Linux users in the guest_t and xguest_t domains can not
execute applications in their home directories or /tmp/, preventing them
from executing applications (which inherit users' permissions) in
directories they have write access to. This helps prevent flawed or
malicious applications from modifying files users' own.
The setsebool command must be run as the Linux root user. The setsebool
-P command makes persistent changes. Do not use the -P option if you do
not want changes to persist across reboots:
guest_t
To allow Linux users in the guest_t domain to execute applications in
their home directories and /tmp/:
/usr/sbin/setsebool allow_guest_exec_content on
xguest_t
To allow Linux users in the xguest_t domain to execute applications in
their home directories and /tmp/:
/usr/sbin/setsebool allow_xguest_exec_content on
user_t
To prevent Linux users in the user_t domain from executing applications
in their home directories and /tmp/:
/usr/sbin/setsebool allow_user_exec_content off
staff_t
To prevent Linux users in the staff_t domain from executing applications
in their home directories and /tmp/:
/usr/sbin/setsebool allow_staff_exec_content off
Thanks.
[1]
<http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html>
[2]
<http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
