user guide draft: "Booleans for Users Executing Applications"

user guide draft: "Booleans for Users Executing Applications"

[Murray McAllister]

Hi,

In the "Confined and Unconfined Users" section[1], the confined user 
table states that guest_u, xguest_t etc. can not execute applications in 
~/ or /tmp. I have changed the "no"'s and "yes"'s to "optional", with a 
link to the following section that appears at the end of the "Confining 
Users" chapter[2]:

Booleans for Users Executing Applications

By default, Linux users in the guest_t and xguest_t domains can not 
execute applications in their home directories or /tmp/, preventing them 
from executing applications (which inherit users' permissions) in 
directories they have write access to. This helps prevent flawed or 
malicious applications from modifying files users' own.

The setsebool command must be run as the Linux root user. The setsebool 
-P command makes persistent changes. Do not use the -P option if you do 
not want changes to persist across reboots:

guest_t

To allow Linux users in the guest_t domain to execute applications in 
their home directories and /tmp/:

/usr/sbin/setsebool allow_guest_exec_content on

xguest_t

To allow Linux users in the xguest_t domain to execute applications in 
their home directories and /tmp/:

/usr/sbin/setsebool allow_xguest_exec_content on

user_t

To prevent Linux users in the user_t domain from executing applications 
in their home directories and /tmp/:

/usr/sbin/setsebool allow_user_exec_content off

staff_t

To prevent Linux users in the staff_t domain from executing applications 
in their home directories and /tmp/:

/usr/sbin/setsebool allow_staff_exec_content off

Thanks.


[1] 
<http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html>

[2] 
<http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide draft: "Booleans for Users Executing Applications"

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:
> Hi,
> 
> In the "Confined and Unconfined Users" section[1], the confined user
> table states that guest_u, xguest_t etc. can not execute applications in
> ~/ or /tmp. I have changed the "no"'s and "yes"'s to "optional", with a
> link to the following section that appears at the end of the "Confining
> Users" chapter[2]:
> 
> Booleans for Users Executing Applications
> 
> By default, Linux users in the guest_t and xguest_t domains can not
> execute applications in their home directories or /tmp/, preventing them
> from executing applications (which inherit users' permissions) in
> directories they have write access to. This helps prevent flawed or
> malicious applications from modifying files users' own.
> 
> The setsebool command must be run as the Linux root user. The setsebool
> -P command makes persistent changes. Do not use the -P option if you do
> not want changes to persist across reboots:
> 
> guest_t
> 
> To allow Linux users in the guest_t domain to execute applications in
> their home directories and /tmp/:
> 
> /usr/sbin/setsebool allow_guest_exec_content on
> 
> xguest_t
> 
> To allow Linux users in the xguest_t domain to execute applications in
> their home directories and /tmp/:
> 
> /usr/sbin/setsebool allow_xguest_exec_content on
> 
> user_t
> 
> To prevent Linux users in the user_t domain from executing applications
> in their home directories and /tmp/:
> 
> /usr/sbin/setsebool allow_user_exec_content off
> 
> staff_t
> 
> To prevent Linux users in the staff_t domain from executing applications
> in their home directories and /tmp/:
> 
> /usr/sbin/setsebool allow_staff_exec_content off
> 
> Thanks.
> 
> 
> [1]
> <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html>
> 
> 
> [2]
> <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html>
> 
Ok looks good.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkv5WMACgkQrlYvE4MpobNGdACeJ6NSPNZJH4V6eEcPgSkXxn37
oksAoK0pHIKQotXe6r9k0cku+9Y9WqOe
=jMMt
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.