Product SiteDocumentation Site

9.5.6. Booleans for Users Executing Applications

Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and /tmp/, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In Fedora 19, by default, Linux users in the guest_t and xguest_t domains can not execute applications in their home directories or /tmp/; however, by default, Linux users in the user_t and staff_t domains can.
Booleans are available to change this behavior, and are configured with the setsebool command. The setsebool command must be run as the Linux root user. The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots:
guest_t
To allow Linux users in the guest_t domain to execute applications in their home directories and /tmp/:
/usr/sbin/setsebool -P allow_guest_exec_content on
xguest_t
To allow Linux users in the xguest_t domain to execute applications in their home directories and /tmp/:
/usr/sbin/setsebool -P allow_xguest_exec_content on
user_t
To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/:
/usr/sbin/setsebool -P allow_user_exec_content off
staff_t
To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp/:
/usr/sbin/setsebool -P allow_staff_exec_content off