I want to setup an account for him that I can use the "user switcher applet" to switch to , and then destroy the all the files he created when he logs out.
Here is how you do it.
First add the xguest user
useradd -Z xguest_u xguest
Now we want the home directory and tmp directories to be destroyed when he logs out so we are going to use pam_namespace. Edit the /etc/security/namespece.conf file and add a line like the following.
$HOME tmpfs tmpfs ~xguest
/var/tmp tmpfs tmpfs ~xguest
/tmp tmpfs tmpfs ~xguest
XWindows has just been changed to use a virtual file system. So now we can even use pam_namespace to mount over the /tmp directory. Hoorah for Adam Jackson. Awesome work.
If you have any world writable directories (What are you thinking?) Then you should add those to this list also.
Now we need to tell SELinux that we are going to support polyinstatiation.
Polyinstantiation means that two different users looking at the same file path, would see different files. So we set the allow_polyinstatiation boolean
setsebool -P allow_polyinstantiation on
pam_namespace will automatically create an populate the home directory from /etc/skel But in order to make SELinux labeling correct, we want to create two directories in /etc/skel
mkdir /etc/skel/.mozilla /etc/skel/.gnome2
Hopefully future versions of firefox and libgnome will do this by default.
Finally we need to tell /etc/pamd.d/gdm to use pam_namespace.
session required pam_namespace.so
You should be able to login as the xguest user now.
So now when the Pain in the butt, asks you to use your machine, you go up to you switch user pannel applet, select xguest, and log in the account. When they are done, you simply kill the xsession/log them out. Any files they left in /var/tmp, /tmp or ~xguest will be destroyed. So hopefully they can't leave any evilness around.
You can use this same method to setup a kiosk machine.