10.6.6. Booleans for Users Executing Applications
Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and the /tmp/
directory, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In Fedora, by default, Linux users in the guest_t
and xguest_t
domains cannot execute applications in their home directories or /tmp/
; however, by default, Linux users in the user_t
and staff_t
domains can.
Booleans are available to change this behavior, and are configured with the setsebool
utility, which must be run as the root user. The setsebool -P
command makes persistent changes. Do not use the -P
option if you do not want changes to persist across reboots:
guest_t
To allow Linux users in the guest_t
domain to execute applications in their home directories and /tmp/
:
~]#
setsebool -P guest_exec_content on
xguest_t
To allow Linux users in the xguest_t
domain to execute applications in their home directories and /tmp/
:
~]#
setsebool -P xguest_exec_content on
user_t
To prevent Linux users in the user_t
domain from executing applications in their home directories and /tmp/
:
~]#
setsebool -P user_exec_content off
staff_t
To prevent Linux users in the staff_t
domain from executing applications in their home directories and /tmp/
:
~]#
setsebool -P staff_exec_content off