danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
New Features in Fedora 8 - policy for my that pain in the butt who wants to borrow your laptop ...
danwalsh
Last week I talked about policy for my wife.  Now I want to talk about that pain in the butt, friend or stranger that you meet who wants to use your computer for a minute to check something on the Web. 

I want to setup an account for him that I can use the "user switcher applet" to switch to , and then destroy the all the files he created when he logs out. 


Here is how you do it.

First add the xguest user

useradd -Z xguest_u xguest
passwd xguest
...

Now we want the home directory and tmp directories to be destroyed when he logs out so we are going to use pam_namespace.  Edit the /etc/security/namespece.conf file and add a line like the following.

$HOME tmpfs tmpfs ~xguest
/var/tmp    tmpfs tmpfs ~xguest
/tmp     tmpfs tmpfs ~xguest

Note:
XWindows has just been changed to use a virtual file system.  So now we can even use pam_namespace to mount over the /tmp     directory.  Hoorah for Adam Jackson. Awesome work.

If you have any world writable directories (What are you thinking?)  Then you should add those to this list also.

Now we need to tell SELinux that we are going to support polyinstatiation.
Polyinstantiation means that two different users looking at the same file path, would see different files. So we set the allow_polyinstatiation boolean

setsebool -P allow_polyinstantiation on

pam_namespace will automatically create an populate the home directory from /etc/skel  But in order to make SELinux labeling correct, we want to create two directories in /etc/skel

mkdir /etc/skel/.mozilla /etc/skel/.gnome2 

Note:
    Hopefully future versions of firefox and libgnome will do this by default.



Finally we need to tell /etc/pamd.d/gdm to use pam_namespace.

So add
session    required    pam_namespace.so
To /etc/pam.d/gdm

You should be able to login as the xguest user now.

So now when the Pain in the butt, asks you to use your machine, you go up to you switch user pannel applet, select xguest, and log in the account.  When they are done, you simply kill the xsession/log them out.  Any files they left in /var/tmp, /tmp or ~xguest will be destroyed.  So hopefully they can't leave any evilness around.

You can use this same method to setup a kiosk machine.

Hey, wait, aren't you the pain-in-the-butt that always wants to borrow my laptop?

You are viewing danwalsh