From: Murray McAllister <mmcallis@redhat.com>
To: SE Linux <selinux@tycho.nsa.gov>
Cc: Daniel Walsh <dwalsh@redhat.com>, Eric Paris <eparis@redhat.com>,
Dominick Grift <domg472@gmail.com>
Subject: user guide draft: "Booleans for Users Executing Applications"
Date: Fri, 28 Nov 2008 14:00:52 +1000 [thread overview]
Message-ID: <492F6CF4.3080405@redhat.com> (raw)
Hi,
In the "Confined and Unconfined Users" section[1], the confined user
table states that guest_u, xguest_t etc. can not execute applications in
~/ or /tmp. I have changed the "no"'s and "yes"'s to "optional", with a
link to the following section that appears at the end of the "Confining
Users" chapter[2]:
Booleans for Users Executing Applications
By default, Linux users in the guest_t and xguest_t domains can not
execute applications in their home directories or /tmp/, preventing them
from executing applications (which inherit users' permissions) in
directories they have write access to. This helps prevent flawed or
malicious applications from modifying files users' own.
The setsebool command must be run as the Linux root user. The setsebool
-P command makes persistent changes. Do not use the -P option if you do
not want changes to persist across reboots:
guest_t
To allow Linux users in the guest_t domain to execute applications in
their home directories and /tmp/:
/usr/sbin/setsebool allow_guest_exec_content on
xguest_t
To allow Linux users in the xguest_t domain to execute applications in
their home directories and /tmp/:
/usr/sbin/setsebool allow_xguest_exec_content on
user_t
To prevent Linux users in the user_t domain from executing applications
in their home directories and /tmp/:
/usr/sbin/setsebool allow_user_exec_content off
staff_t
To prevent Linux users in the staff_t domain from executing applications
in their home directories and /tmp/:
/usr/sbin/setsebool allow_staff_exec_content off
Thanks.
[1]
<http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html>
[2]
<http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-11-28 4:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-28 4:00 Murray McAllister [this message]
2008-11-28 12:34 ` user guide draft: "Booleans for Users Executing Applications" Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=492F6CF4.3080405@redhat.com \
--to=mmcallis@redhat.com \
--cc=domg472@gmail.com \
--cc=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.