Product SiteDocumentation Site

6.6. Booleans for Users Executing Applications

Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and the /tmp/ directory, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In Fedora, by default, Linux users in the guest_t and xguest_t domains cannot execute applications in their home directories or /tmp/; however, by default, Linux users in the user_t and staff_t domains can.
Booleans are available to change this behavior, and are configured with the setsebool utility, which must be run as the root user. The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots:

guest_t

To allow Linux users in the guest_t domain to execute applications in their home directories and /tmp/:
~]# setsebool -P guest_exec_content on

xguest_t

To allow Linux users in the xguest_t domain to execute applications in their home directories and /tmp/:
~]# setsebool -P xguest_exec_content on

user_t

To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/:
~]# setsebool -P user_exec_content off

staff_t

To prevent Linux users in the staff_t domain from executing applications in their home directories and /tmp/:
~]# setsebool -P staff_exec_content off