[securityguide] Updated Confined Users with new content from RHEL 7.
Bara Ančincová
bancinco at fedoraproject.org
Sun Aug 10 23:00:11 UTC 2014
commit 6e808f1da219eefced79f78e967470491aa73fbe
Author: Barbora Ancincova <bancinco at redhat.com>
Date: Fri Aug 8 16:19:56 2014 +0200
Updated Confined Users with new content from RHEL 7.
en-US/Managing_Users.xml | 331 ++++++++++++++++++++++------------------------
1 files changed, 158 insertions(+), 173 deletions(-)
---
diff --git a/en-US/Managing_Users.xml b/en-US/Managing_Users.xml
index 66cc315..dba9fcb 100644
--- a/en-US/Managing_Users.xml
+++ b/en-US/Managing_Users.xml
@@ -2,315 +2,300 @@
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-<section id="sect-Security-Enhanced_Linux-Confining_Users">
+<section id="chap-Security-Enhanced_Linux-Confining_Users">
<title>Confining Users</title>
<para>
- A number of confined SELinux users are available in &PRODUCT; &PRODVER;. Each Linux user is mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the <command>su</command> and <command>sudo</command> commands. This helps protect the system from the user. Refer to <xref linkend="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users" /> for further information about confined users.
+ A number of confined SELinux users are available in &PRODUCT;. Each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the <command>su</command> and <command>sudo</command> commands. This helps protect the system from the user. Refer to <xref linkend="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users" /> for further information about confined users.
</para>
<section id="sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">
<title>Linux and SELinux User Mappings</title>
<para>
- As the Linux root user, run the <command>semanage login -l</command> command to view the mapping between Linux users and SELinux users:
+ As the root user, run the following command to view the mapping between Linux users and SELinux users:
</para>
-<screen># /usr/sbin/semanage login -l
+<screen>
+<prompt>~]#</prompt> <command>semanage login -l</command>
-Login Name SELinux User MLS/MCS Range
+Login Name SELinux User MLS/MCS Range Service
-__default__ unconfined_u s0-s0:c0.c1023
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
+__default__ unconfined_u s0-s0:c0.c1023 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
</screen>
<para>
- In &PRODUCT; &PRODVER;, Linux users are mapped to the SELinux <computeroutput>__default__</computeroutput> login by default (which is in turn mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user). When a Linux user is created with the <command>useradd</command> command, if no options are specified, they are mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user. The following defines the default-mapping:
+ In &PRODUCT;, Linux users are mapped to the SELinux <computeroutput>__default__</computeroutput> login by default (which is in turn mapped to the SELinux <systemitem>unconfined_u</systemitem> user). When a Linux user is created with the <command>useradd</command> command, if no options are specified, they are mapped to the SELinux <systemitem>unconfined_u</systemitem> user. The following defines the default-mapping:
</para>
<screen>
-__default__ unconfined_u s0-s0:c0.c1023
+__default__ unconfined_u s0-s0:c0.c1023 *
</screen>
</section>
<section id="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">
<title>Confining New Linux Users: useradd</title>
<para>
- Linux users mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user run in the <computeroutput>unconfined_t</computeroutput> domain. This is seen by running the <command>id -Z</command> command while logged-in as a Linux user mapped to <computeroutput>unconfined_u</computeroutput>:
+ Linux users mapped to the SELinux <systemitem>unconfined_u</systemitem> user run in the <systemitem>unconfined_t</systemitem> domain. This is seen by running the <command>id -Z</command> command while logged-in as a Linux user mapped to <systemitem>unconfined_u</systemitem>:
</para>
<screen>
-$ id -Z
+<prompt>~]$</prompt> <command>id -Z</command>
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
</screen>
<para>
- When Linux users run in the <computeroutput>unconfined_t</computeroutput> domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the <computeroutput>unconfined_t</computeroutput> domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the <computeroutput>unconfined_t</computeroutput> domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy. Note: this does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
- </para>
+ When Linux users run in the <systemitem>unconfined_t</systemitem> domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the <systemitem>unconfined_t</systemitem> domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the <systemitem>unconfined_t</systemitem> domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy.
+ </para>
+ <note>
+ <para>
+ This does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
+ </para>
+ </note>
<para>
- When creating Linux users with <command>useradd</command>, use the <option>-Z</option> option to specify which SELinux user they are mapped to. The following example creates a new Linux user, useruuser, and maps that user to the SELinux <computeroutput>user_u</computeroutput> user. Linux users mapped to the SELinux <computeroutput>user_u</computeroutput> user run in the <computeroutput>user_t</computeroutput> domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as <command>passwd</command>), and can not run <command>su</command> or <command>sudo</command>, preventing them from becoming the Linux root user with these commands.
+ When creating Linux users with the <command>useradd</command> command, use the <option>-Z</option> option to specify which SELinux user they are mapped to. The following example creates a new Linux user, <literal>useruuser</literal>, and maps that user to the SELinux <systemitem>user_u</systemitem> user. Linux users mapped to the SELinux <systemitem>user_u</systemitem> user run in the <systemitem>user_t</systemitem> domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as <systemitem>passwd</systemitem>), and cannot run the <command>su</command> or <command>sudo</command> command, preventing them from becoming the root user with these commands.
</para>
- <orderedlist>
- <listitem>
+ <procedure id="proc-managing-users-confining-new-linux-users-useradd">
+ <title>Confining a New Linux User to <systemitem>user_u</systemitem> SELinux User</title>
+ <step>
<para>
- As the Linux root user, run the <command>/usr/sbin/useradd -Z user_u useruuser</command> command to create a new Linux user (useruuser) that is mapped to the SELinux <computeroutput>user_u</computeroutput> user.
- </para>
- </listitem>
- <listitem>
+ As root, create a new Linux user (<literal>useruuser</literal>) that is mapped to the SELinux <systemitem>user_u</systemitem> user.
+ </para>
+<screen><prompt>~]#</prompt> <command>useradd -Z user_u useruuser</command></screen>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>semanage login -l</command> command to view the mapping between the Linux <computeroutput>useruuser</computeroutput> user and <computeroutput>user_u</computeroutput>:
- </para>
-
+ To view the mapping between <literal>useruuser</literal> and <systemitem>user_u</systemitem>, run the following command as root:
+ </para>
<screen>
-# /usr/sbin/semanage login -l
+<prompt>~]#</prompt> <command>semanage login -l</command>
-Login Name SELinux User MLS/MCS Range
+Login Name SELinux User MLS/MCS Range Service
-__default__ unconfined_u s0-s0:c0.c1023
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
-useruuser user_u s0
+__default__ unconfined_u s0-s0:c0.c1023 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
+useruuser user_u s0 *
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>passwd useruuser</command> command to assign a password to the Linux useruuser user:
+ As root, assign a password to the Linux <literal>useruuser</literal> user:
</para>
<screen>
-# passwd useruuser
+<prompt>~]#</prompt> <command>passwd useruuser</command>
Changing password for user useruuser.
-New UNIX password: <replaceable>Enter a password</replaceable>
-Retype new UNIX password: <replaceable>Enter the same password again</replaceable>
+New password: <replaceable>Enter a password</replaceable>
+Retype new password: <replaceable>Enter the same password again</replaceable>
passwd: all authentication tokens updated successfully.
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Log out of your current session, and log in as the Linux useruuser user. When you log in, pam_selinux maps the Linux user to an SELinux user (in this case, <computeroutput>user_u</computeroutput>), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Run the <command>id -Z</command> command to view the context of a Linux user:
+ Log out of your current session, and log in as the Linux <literal>useruuser</literal> user. When you log in, the <systemitem>pam_selinux</systemitem> module maps the Linux user to an SELinux user (in this case, <systemitem>user_u</systemitem>), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Run the following command to view the context of a Linux user:
</para>
-
<screen>
-[useruuser at localhost ~]$ id -Z
+<prompt>~]$</prompt> <command>id -Z</command>
user_u:user_r:user_t:s0
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Log out of the Linux useruuser's session, and log back in with your account. If you do not want the Linux useruuser user, run the <command>/usr/sbin/userdel -r useruuser</command> command as the Linux root user to remove it, along with its home directory.
- </para>
- </listitem>
- </orderedlist>
+ Log out of the Linux <literal>useruuser</literal>'s session, and log back in with your account. If you do not want the Linux <literal>useruuser</literal> user, run the following command as root to remove it, along with its home directory:
+ </para>
+<screen><prompt>~]#</prompt> <command>userdel -r useruuser</command></screen>
+ </step>
+ </procedure>
</section>
<section id="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">
- <title>Confining Existing Linux Users: semanage login</title>
+ <title>Confining Existing Linux Users: semanage login</title>
<para>
- If a Linux user is mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user (the default behavior), and you would like to change which SELinux user they are mapped to, use the <command>semanage login</command> command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux <computeroutput>user_u</computeroutput> user:
+ If a Linux user is mapped to the SELinux <systemitem>unconfined_u</systemitem> user (the default behavior), and you would like to change which SELinux user they are mapped to, use the <command>semanage login</command> command. The following example creates a new Linux user named <literal>newuser</literal>, then maps that Linux user to the SELinux <systemitem>user_u</systemitem> user:
</para>
- <orderedlist>
- <listitem>
+ <procedure id="proc-managing-users-confining-existing-linux-users-semanage-login">
+ <title>Mapping Linux Users to the SELinux Users</title>
+ <step>
<para>
- As the Linux root user, run the <command>/usr/sbin/useradd newuser</command> command to create a new Linux user (newuser). Since this user uses the default mapping, it does not appear in the <command>/usr/sbin/semanage login -l</command> output:
+ As the root user, create a new Linux user (<literal>newuser</literal>). Since this user uses the default mapping, it does not appear in the <command>semanage login -l</command> output:
</para>
-
+<screen><prompt>~]#</prompt> <command>useradd newuser</command></screen>
<screen>
-# /usr/sbin/semanage login -l
+<prompt>~]#</prompt> <command>semanage login -l</command>
-Login Name SELinux User MLS/MCS Range
+Login Name SELinux User MLS/MCS Range Service
-__default__ unconfined_u s0-s0:c0.c1023
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
+__default__ unconfined_u s0-s0:c0.c1023 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
</screen>
- </listitem>
- <listitem>
- <para>
- To map the Linux newuser user to the SELinux <computeroutput>user_u</computeroutput> user, run the following command as the Linux root user:
- </para>
+ </step>
+ <step>
<para>
- <command>/usr/sbin/semanage login -a -s user_u newuser</command>
+ To map the Linux <literal>newuser</literal> user to the SELinux <systemitem>user_u</systemitem> user, run the following command as root:
</para>
+<screen>
+<prompt>~]#</prompt> <command>semanage login -a -s user_u newuser</command>
+</screen>
<para>
The <option>-a</option> option adds a new record, and the <option>-s</option> option specifies the SELinux user to map a Linux user to. The last argument, <computeroutput>newuser</computeroutput>, is the Linux user you want mapped to the specified SELinux user.
</para>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- To view the mapping between the Linux newuser user and <computeroutput>user_u</computeroutput>, run the <command>semanage login -l</command> command as the Linux root user:
+ To view the mapping between the Linux <literal>newuser</literal> user and <systemitem>user_u</systemitem>, use the <systemitem>semanage</systemitem> utility again:
</para>
-
<screen>
-# /usr/sbin/semanage login -l
+<prompt>~]#</prompt> <command>semanage login -l</command>
-Login Name SELinux User MLS/MCS Range
+Login Name SELinux User MLS/MCS Range Service
-__default__ unconfined_u s0-s0:c0.c1023
-newuser user_u s0
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
+__default__ unconfined_u s0-s0:c0.c1023 *
+newuser user_u s0 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- As the Linux root user, run the <command>passwd newuser</command> command to assign a password to the Linux newuser user:
+ As root, assign a password to the Linux <literal>newuser</literal> user:
</para>
-
<screen>
-# passwd newuser
+<prompt>~]#</prompt> <command>passwd newuser</command>
Changing password for user newuser.
-New UNIX password: <replaceable>Enter a password</replaceable>
-Retype new UNIX password: <replaceable>Enter the same password again</replaceable>
+New password: <replaceable>Enter a password</replaceable>
+Retype new password: <replaceable>Enter the same password again</replaceable>
passwd: all authentication tokens updated successfully.
</screen>
- </listitem>
- <listitem>
+ </step>
+ <step>
<para>
- Log out of your current session, and log in as the Linux newuser user. Run the <command>id -Z</command> command to view the newuser's SELinux context:
+ Log out of your current session, and log in as the Linux <literal>newuser</literal> user. Run the following command to view the <literal>newuser</literal>'s SELinux context:
</para>
-
<screen>
-[newuser at rlocalhost ~]$ id -Z
-user_u:user_r:user_t:s0
-</screen>
- </listitem>
- <listitem>
+<prompt>~]$</prompt> <command>id -Z</command>
+user_u:user_r:user_t:s0</screen>
+ </step>
+ <step>
<para>
- Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, run the <command>userdel -r newuser</command> command as the Linux root user to remove it, along with its home directory. Also, the mapping between the Linux newuser user and <computeroutput>user_u</computeroutput> is removed:
+ Log out of the Linux <literal>newuser</literal>'s session, and log back in with your account. If you do not want the Linux <literal>newuser</literal> user, run the following command as root to remove it, along with its home directory:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>userdel -r newuser</command>
+</screen>
+ <para>
+ As root, remove the mapping between the Linux <literal>newuser</literal> user and <systemitem>user_u</systemitem>:
</para>
-
+<screen><prompt>~]#</prompt> <command>semanage login -d newuser</command></screen>
<screen>
-# /usr/sbin/userdel -r newuser
-# /usr/sbin/semanage login -l
+<prompt>~]#</prompt> <command>semanage login -l</command>
-Login Name SELinux User MLS/MCS Range
+Login Name SELinux User MLS/MCS Range Service
-__default__ unconfined_u s0-s0:c0.c1023
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
+__default__ unconfined_u s0-s0:c0.c1023 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
</screen>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
</section>
<section id="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">
<title>Changing the Default Mapping</title>
<para>
- In &PRODUCT; &PRODVER;, Linux users are mapped to the SELinux <computeroutput>__default__</computeroutput> login by default (which is in turn mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user). If you would like new Linux users, and Linux users not specifically mapped to an SELinux user to be confined by default, change the default mapping with the <command>semanage login</command> command.
- </para>
- <para>
- For example, run the following command as the Linux root user to change the default mapping from <computeroutput>unconfined_u</computeroutput> to <computeroutput>user_u</computeroutput>:
+ In &PRODUCT;, Linux users are mapped to the SELinux <computeroutput>__default__</computeroutput> login by default (which is in turn mapped to the SELinux <systemitem>unconfined_u</systemitem> user). If you would like new Linux users, and Linux users not specifically mapped to an SELinux user to be confined by default, change the default mapping with the <command>semanage login</command> command.
</para>
<para>
- <command>/usr/sbin/semanage login -m -S targeted -s "user_u" -r s0 __default__</command>
+ For example, run the following command as root to change the default mapping from <systemitem>unconfined_u</systemitem> to <systemitem>user_u</systemitem>:
</para>
+<screen><prompt>~]#</prompt> <command>semanage login -m -S targeted -s "user_u" -r s0 __default__</command>
+ </screen>
<para>
- Run the <command>semanage login -l</command> command as the Linux root user to verify the <computeroutput>__default__</computeroutput> login is mapped to <computeroutput>user_u</computeroutput>:
+ Verify the <computeroutput>__default__</computeroutput> login is mapped to <systemitem>user_u</systemitem>:
</para>
-
<screen>
-# /usr/sbin/semanage login -l
+<prompt>~]#</prompt> <command>semanage login -l</command>
-Login Name SELinux User MLS/MCS Range
+Login Name SELinux User MLS/MCS Range Service
-__default__ user_u s0
-root unconfined_u s0-s0:c0.c1023
-system_u system_u s0-s0:c0.c1023
+__default__ user_u s0-s0:c0.c1023 *
+root unconfined_u s0-s0:c0.c1023 *
+system_u system_u s0-s0:c0.c1023 *
</screen>
<para>
- If a new Linux user is created and an SELinux user is not specified, or if an existing Linux user logs in and does not match a specific entry from the <command>semanage login -l</command> output, they are mapped to <computeroutput>user_u</computeroutput>, as per the <computeroutput>__default__</computeroutput> login.
+ If a new Linux user is created and an SELinux user is not specified, or if an existing Linux user logs in and does not match a specific entry from the <command>semanage login -l</command> output, they are mapped to <systemitem>user_u</systemitem>, as per the <computeroutput>__default__</computeroutput> login.
</para>
<para>
- To change back to the default behavior, run the following command as the Linux root user to map the <computeroutput>__default__</computeroutput> login to the SELinux <computeroutput>unconfined_u</computeroutput> user:
+ To change back to the default behavior, run the following command as root to map the <computeroutput>__default__</computeroutput> login to the SELinux <systemitem>unconfined_u</systemitem> user:
</para>
-
-
-<screen>/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
-s0-s0:c0.c1023 __default__
+<screen>
+<prompt>~]#</prompt> <command>semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__</command>
</screen>
-
</section>
<section id="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">
<title>xguest: Kiosk Mode</title>
<para>
- The <package>xguest</package> package provides a kiosk user account. This account is used to secure machines that people walk up to and use, such as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk user account is very limited: essentially, it only allows users to log in and use <application>Firefox</application> to browse Internet websites. Any changes made while logged in with his account, such as creating files or changing settings, are lost when you log out.
+ The <package>xguest</package> package provides a kiosk user account. This account is used to secure machines that people walk up to and use, such as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk user account is very limited: essentially, it only allows users to log in and use <application>Firefox</application> to browse Internet websites. Any changes made while logged in with this account, such as creating files or changing settings, are lost when you log out.
</para>
<para>
To set up the kiosk account:
</para>
- <orderedlist>
- <listitem>
+ <procedure id="proc-managing-users-setting-up-the-kiosk-account">
+ <step>
<para>
- As the Linux root user, run <command>yum install xguest</command> command to install the <package>xguest</package> package. Install dependencies as required.
- </para>
- </listitem>
- <listitem>
+ As the root user, install the <package>xguest</package> package. Install dependencies as required:
+ </para>
+<screen>
+<prompt>~]#</prompt> <command>yum install xguest</command>
+</screen>
+ </step>
+ <step>
<para>
- In order to allow the kiosk account to be used by a variety of people, the account is not password-protected, and as such, the account can only be protected if SELinux is running in enforcing mode. Before logging in with this account, use the <command>getenforce</command> command to confirm that SELinux is running in enforcing mode:
+ In order to allow the kiosk account to be used by a variety of people, the account is not password-protected, and as such, the account can only be protected if SELinux is running in enforcing mode. Before logging in with this account, use the <systemitem>getenforce</systemitem> utility to confirm that SELinux is running in enforcing mode:
</para>
-
<screen>
-$ /usr/sbin/getenforce
+<prompt>~]$</prompt> <command>getenforce</command>
Enforcing
</screen>
-<!-- <para>
- If this is not the case, refer to <xref linkend="" /> for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.
- </para> -->
- </listitem>
- <listitem>
<para>
- You can only log in to this account via the GNOME Display Manager (GDM). Once the <package>xguest</package> package is installed, a <computeroutput>Guest</computeroutput> account is added to GDM. To log in, click on the <computeroutput>Guest</computeroutput> account:
+ If this is not the case, see <xref linkend="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux" /> for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.
+ </para>
+ </step>
+ <step>
+ <para>
+ You can only log in to this account via the GNOME Display Manager (GDM). Once the <package>xguest</package> package is installed, a <computeroutput>Guest</computeroutput> account is added to the GDM login screen.
</para>
- <mediaobject>
- <imageobject>
- <imagedata fileref="./images/xguest.png" format="PNG" />
- </imageobject>
- </mediaobject>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
</section>
<section id="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">
<title>Booleans for Users Executing Applications</title>
<para>
- Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and <filename>/tmp/</filename>, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In &PRODUCT; &PRODVER;, by default, Linux users in the <computeroutput>guest_t</computeroutput> and <computeroutput>xguest_t</computeroutput> domains can not execute applications in their home directories or <filename>/tmp/</filename>; however, by default, Linux users in the <computeroutput>user_t</computeroutput> and <computeroutput>staff_t</computeroutput> domains can.
+ Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and the <filename class="directory">/tmp/</filename> directory, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In &PRODUCT;, by default, Linux users in the <systemitem>guest_t</systemitem> and <systemitem>xguest_t</systemitem> domains cannot execute applications in their home directories or <filename class="directory">/tmp/</filename>; however, by default, Linux users in the <systemitem>user_t</systemitem> and <systemitem>staff_t</systemitem> domains can.
</para>
<para>
- Booleans are available to change this behavior, and are configured with the <command>setsebool</command> command. The <command>setsebool</command> command must be run as the Linux root user. The <command>setsebool -P</command> command makes persistent changes. Do not use the <option>-P</option> option if you do not want changes to persist across reboots:
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-guest_t">
- <title>guest_t</title>
+ Booleans are available to change this behavior, and are configured with the <systemitem>setsebool</systemitem> utility, which must be run as the root user. The <command>setsebool -P</command> command makes persistent changes. Do not use the <option>-P</option> option if you do not want changes to persist across reboots:
+ </para>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-guest_t">guest_t</bridgehead>
<para>
- To <emphasis>allow</emphasis> Linux users in the <computeroutput>guest_t</computeroutput> domain to execute applications in their home directories and <filename>/tmp/</filename>:
+ To <emphasis>allow</emphasis> Linux users in the <systemitem>guest_t</systemitem> domain to execute applications in their home directories and <filename class="directory">/tmp/</filename>:
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/setsebool -P allow_guest_exec_content on</command>
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-xguest_t">
- <title>xguest_t</title>
+<screen><prompt>~]#</prompt> <command>setsebool -P guest_exec_content on</command></screen>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-xguest_t">xguest_t</bridgehead>
<para>
- To <emphasis>allow</emphasis> Linux users in the <computeroutput>xguest_t</computeroutput> domain to execute applications in their home directories and <filename>/tmp/</filename>:
+ To <emphasis>allow</emphasis> Linux users in the <systemitem>xguest_t</systemitem> domain to execute applications in their home directories and <filename class="directory">/tmp/</filename>:
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/setsebool -P allow_xguest_exec_content on</command>
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-user_t">
- <title>user_t</title>
+<screen><prompt>~]#</prompt> <command>setsebool -P xguest_exec_content on</command></screen>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-user_t">user_t</bridgehead>
<para>
- To <emphasis>prevent</emphasis> Linux users in the <computeroutput>user_t</computeroutput> domain from executing applications in their home directories and <filename>/tmp/</filename>:
+ To <emphasis>prevent</emphasis> Linux users in the <systemitem>user_t</systemitem> domain from executing applications in their home directories and <filename class="directory">/tmp/</filename>:
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/setsebool -P allow_user_exec_content off</command>
- </para>
- <formalpara id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-staff_t">
- <title>staff_t</title>
+<screen><prompt>~]#</prompt> <command>setsebool -P user_exec_content off</command></screen>
+ <bridgehead renderas="sect2" id="brid-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-staff_t">staff_t</bridgehead>
<para>
- To <emphasis>prevent</emphasis> Linux users in the <computeroutput>staff_t</computeroutput> domain from executing applications in their home directories and <filename>/tmp/</filename>:
+ To <emphasis>prevent</emphasis> Linux users in the <systemitem>staff_t</systemitem> domain from executing applications in their home directories and <filename class="directory">/tmp/</filename>:
</para>
- </formalpara>
- <para>
- <command>/usr/sbin/setsebool -P allow_staff_exec_content off</command>
- </para>
+<screen><prompt>~]#</prompt> <command>setsebool -P staff_exec_content off</command></screen>
</section>
</section>
More information about the docs-commits
mailing list