-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Murray McAllister wrote: > Hi, > > In the "Confined and Unconfined Users" section[1], the confined user > table states that guest_u, xguest_t etc. can not execute applications in > ~/ or /tmp. I have changed the "no"'s and "yes"'s to "optional", with a > link to the following section that appears at the end of the "Confining > Users" chapter[2]: > > Booleans for Users Executing Applications > > By default, Linux users in the guest_t and xguest_t domains can not > execute applications in their home directories or /tmp/, preventing them > from executing applications (which inherit users' permissions) in > directories they have write access to. This helps prevent flawed or > malicious applications from modifying files users' own. > > The setsebool command must be run as the Linux root user. The setsebool > -P command makes persistent changes. Do not use the -P option if you do > not want changes to persist across reboots: > > guest_t > > To allow Linux users in the guest_t domain to execute applications in > their home directories and /tmp/: > > /usr/sbin/setsebool allow_guest_exec_content on > > xguest_t > > To allow Linux users in the xguest_t domain to execute applications in > their home directories and /tmp/: > > /usr/sbin/setsebool allow_xguest_exec_content on > > user_t > > To prevent Linux users in the user_t domain from executing applications > in their home directories and /tmp/: > > /usr/sbin/setsebool allow_user_exec_content off > > staff_t > > To prevent Linux users in the staff_t domain from executing applications > in their home directories and /tmp/: > > /usr/sbin/setsebool allow_staff_exec_content off > > Thanks. > > > [1] > <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html> > > > [2] > <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html> > Ok looks good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkv5WMACgkQrlYvE4MpobNGdACeJ6NSPNZJH4V6eEcPgSkXxn37 oksAoK0pHIKQotXe6r9k0cku+9Y9WqOe =jMMt -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
