6.6. Booleans for Users Executing Applications
Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and the
/tmp
directory, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own.
Booleans are available to change this behavior, and are configured with the
setsebool
utility, which must be run as root. The setsebool -P
command makes persistent changes. Do not use the -P
option if you do not want changes to persist across reboots:
guest_t
To prevent Linux users in the
guest_t
domain from executing applications in their home directories and /tmp
:
~]#
setsebool -P guest_exec_content off
xguest_t
To prevent Linux users in the
xguest_t
domain from executing applications in their home directories and /tmp
:
~]#
setsebool -P xguest_exec_content off
user_t
To prevent Linux users in the
user_t
domain from executing applications in their home directories and /tmp
:
~]#
setsebool -P user_exec_content off
staff_t
To prevent Linux users in the
staff_t
domain from executing applications in their home directories and /tmp
:
~]#
setsebool -P staff_exec_content off
To turn the
staff_exec_content
boolean on and to allow Linux users in the staff_t
domain to execute applications in their home directories and /tmp
:
~]#
setsebool -P staff_exec_content on