SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: user guide draft: "Booleans for Users Executing Applications" This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] From: Daniel J Walsh <dwalsh_at_redhat.com> Date: Fri, 28 Nov 2008 07:34:43 -0500 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Murray McAllister wrote: > Hi, > > In the "Confined and Unconfined Users" section[1], the confined user > table states that guest_u, xguest_t etc. can not execute applications in > ~/ or /tmp. I have changed the "no"'s and "yes"'s to "optional", with a > link to the following section that appears at the end of the "Confining > Users" chapter[2]: > > Booleans for Users Executing Applications > > By default, Linux users in the guest_t and xguest_t domains can not > execute applications in their home directories or /tmp/, preventing them > from executing applications (which inherit users' permissions) in > directories they have write access to. This helps prevent flawed or > malicious applications from modifying files users' own. > > The setsebool command must be run as the Linux root user. The setsebool > -P command makes persistent changes. Do not use the -P option if you do > not want changes to persist across reboots: > > guest_t > > To allow Linux users in the guest_t domain to execute applications in > their home directories and /tmp/: > > /usr/sbin/setsebool allow_guest_exec_content on > > xguest_t > > To allow Linux users in the xguest_t domain to execute applications in > their home directories and /tmp/: > > /usr/sbin/setsebool allow_xguest_exec_content on > > user_t > > To prevent Linux users in the user_t domain from executing applications > in their home directories and /tmp/: > > /usr/sbin/setsebool allow_user_exec_content off > > staff_t > > To prevent Linux users in the staff_t domain from executing applications > in their home directories and /tmp/: > > /usr/sbin/setsebool allow_staff_exec_content off > > Thanks. > > > [1] > <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html> > > > [2] > <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html> > Ok looks good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkv5WMACgkQrlYvE4MpobNGdACeJ6NSPNZJH4V6eEcPgSkXxn37 oksAoK0pHIKQotXe6r9k0cku+9Y9WqOe =jMMt -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 28 Nov 2008 - 07:34:48 EST This message: [ Message body ] Next message: Daniel J Walsh: "Re: [refpolicy] [RE:] pull request: wireless-2.6 2008-11-25" Previous message: James Morris: "Re: [RFC] Testing Support for deferred mapping of contexts & enable processes with mac_admin to get the raw inode contexts" In reply to: Murray McAllister: "user guide draft: "Booleans for Users Executing Applications"" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom