6.6. Booleans for Users Executing Applications
Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and /tmp/
, which they have write access to, helps prevent flawed or malicious applications from modifying files users' own. In Fedora 11, by default, Linux users in the guest_t
and xguest_t
domains can not execute applications in their home directories or /tmp/
; however, by default, Linux users in the user_t
and staff_t
domains can.
Booleans are available to change this behavior, and are configured with the setsebool
command. The setsebool
command must be run as the Linux root user. The setsebool -P
command makes persistent changes. Do not use the -P
option if you do not want changes to persist across reboots:
To
allow
Linux users in the guest_t
domain to execute applications in their home directories and /tmp/
:
/usr/sbin/setsebool -P allow_guest_exec_content on
To
allow
Linux users in the xguest_t
domain to execute applications in their home directories and /tmp/
:
/usr/sbin/setsebool -P allow_xguest_exec_content on
To
prevent
Linux users in the user_t
domain from executing applications in their home directories and /tmp/
:
/usr/sbin/setsebool -P allow_user_exec_content off
To
prevent
Linux users in the staff_t
domain from executing applications in their home directories and /tmp/
:
/usr/sbin/setsebool -P allow_staff_exec_content off