Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing Listuser guide draft: "Booleans for Users Executing Applications"
From: Murray McAllister <mmcallis_at_redhat.com>
Date: Fri, 28 Nov 2008 14:00:52 +1000
In the "Confined and Unconfined Users" section[1], the confined user table states that guest_u, xguest_t etc. can not execute applications in ~/ or /tmp. I have changed the "no"'s and "yes"'s to "optional", with a link to the following section that appears at the end of the "Confining Users" chapter[2]: Booleans for Users Executing Applications By default, Linux users in the guest_t and xguest_t domains can not execute applications in their home directories or /tmp/, preventing them from executing applications (which inherit users' permissions) in directories they have write access to. This helps prevent flawed or malicious applications from modifying files users' own. The setsebool command must be run as the Linux root user. The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots: guest_t To allow Linux users in the guest_t domain to execute applications in their home directories and /tmp/:
/usr/sbin/setsebool allow_guest_exec_content on xguest_t To allow Linux users in the xguest_t domain to execute applications in their home directories and /tmp/:
/usr/sbin/setsebool allow_xguest_exec_content on user_t To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/:
/usr/sbin/setsebool allow_user_exec_content off staff_t To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp/:
/usr/sbin/setsebool allow_staff_exec_content off Thanks. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 27 Nov 2008 - 23:01:10 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |