I belong to a Condo association and they sent out an Email with a .doc attachment to all owners. My wife downloaded the document onto her machine and called me to tell me that she was not able to read it. I saw the same document, and was able to read it so I suspected there was a problem with xguest. When I arrived home, I looked at the audit.log file and sure enough OpenOffice was being blocked by xguest policy.
I saw an avc that said, xguest_mozilla_t (firefox/openoffice) was not able to execute xguest_home_t or xguest_tmp_t. I thought this is strange, so I looked further. Turns out the doc file contained some kind of macros (I am guessing that is what they were) that OpenOffice gladly extracted into a tmp file and tried to execute. Now I have no idea what these macros were supposed to do, or what they did on my machine. But a tightly confined machine like xguest blocked the execution. It makes you step back and think about potential problems that can arise when a random Word Document can cause temporary files on your home dir to be executed.
You can toggle this behavior though the use of the boolean, allow_xguest_exec_content.
setsebool -P allow_xguest_exec_content=1
will allow xguest users to execute programs in thier home directories or on /tmp.
This is turned off by default.
Dan Walsh's Blog
- xguest blocks word document from executing temporary files...