Search

6.6. Booleans for Users Executing Applications

download PDF
Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and /tmp/, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In Red Hat Enterprise Linux 6, by default, Linux users in the guest_t and xguest_t domains cannot execute applications in their home directories or /tmp/; however, by default, Linux users in the user_t and staff_t domains can.
Booleans are available to change this behavior, and are configured with the setsebool command. The setsebool command must be run as the Linux root user. The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots:

guest_t

To allow Linux users in the guest_t domain to execute applications in their home directories and /tmp/:
~]# setsebool -P allow_guest_exec_content on

xguest_t

To allow Linux users in the xguest_t domain to execute applications in their home directories and /tmp/:
~]# setsebool -P allow_xguest_exec_content on

user_t

To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/:
~]# setsebool -P allow_user_exec_content off

staff_t

To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp/:
~]# setsebool -P allow_staff_exec_content off
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.