Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and the /tmp/ directory, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In Fedora, by default, Linux users in the guest_t and xguest_t domains cannot execute applications in their home directories or /tmp/; however, by default, Linux users in the user_t and staff_t domains can.

Booleans are available to change this behavior, and are configured with the setsebool utility, which must be run as the root user. The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots:

To allow Linux users in the guest_t domain to execute applications in their home directories and /tmp/:

~]# setsebool -P guest_exec_content on

To allow Linux users in the xguest_t domain to execute applications in their home directories and /tmp/:

~]# setsebool -P xguest_exec_content on

To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/:

~]# setsebool -P user_exec_content off

To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp/:

~]# setsebool -P staff_exec_content off