Dan Walsh's Blog

Got SELinux?

Previous Entry Add to Memories Share Next Entry
Creating a Kiosk Account using SELinux and Fedora 8.
Over the last few months, in between playing my own personal version of Wack A Mole (AVC).   I have been working on Roles Based Access Control (RBAC) or confining users.  As I have explained in previous blogs, I have defined a policy to be used for the least privledged login terminal and X Windows users. 

One of the goals of this was to define a Kiosk User account. the idea was to secure these machines that you can walk up to at the library, bank,  airport, coffee shop and just login and use the internet.  So I investigated how to do this with SELinux. 

I demonstrated this account to  Jonathan Blandford from the Fedora Desktop Team saw it and suggested it would be cool to use one of these accounts with Fast User Switching.
One problem with this,  we need to be able to use this account without a password.   From a security stand point. we can only protect the account if SELinux is enabled and in enforcing mode.   We needed a new pam module  for this.  I asked Tomas Mraz to look into this and he created pam_selinux_permit

man pam_selinux_permit

PAM_SELINUX_PERMIT(8)          Linux-PAM Manual          PAM_SELINUX_PERMIT(8)

       pam_selinux_permit - PAM module to allow/deny login depending on
       SELinux enforcement state

       pam_selinux_permit.so [debug] [conf=/path/to/config/file]

       The pam_selinux module allows or denies login depending on SELinux
       enforcement state.

       When the user which is logging in matches an entry in the config file
       he is allowed access only when the SELinux is in enforcing mode.
       Otherwise he is denied access. For users not matching any entry in the
       config file the pam_selinux_permit module returns PAM_IGNORE return

       The config file contains a simple list of user names one per line. If
       the name is prefixed with @ character it means that all users in the
       group name match. If it is prefixed with a % character the SELinux user
       is used to match against the name instead of the account name. Note
       that when SELinux is disabled the SELinux user assigned to the account
       cannot be determined. This means that such entries are never matched
       when SELinux is disabled and pam_selinux_permit will return PAM_IGNORE.

Now we can create an xguest account with disabled  password.  Then we can setup xdm to use pam_selinux_permit.

# useradd -Z xguest_u xguest

# cat /etc/pam.d/gdm
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_gnome_keyring.so auto_start
account    required    pam_nologin.so
account    include     system-auth
session    required    pam_selinux.so open
session    required    pam_namespace.so
session    optional    pam_gnome_keyring.so

Add the xguest user to the /etcv/security/sepermit.conf
# cat
# /etc/security/sepermit.conf
# Each line contains either:
#        - an user name
#        - a group name, with @group syntax
#        - a SELinux user name, with %seuser syntax

If SELinux is in enforcing mode, you can log into this account just by clicking on the xguest user.  If you try to reach this accound by any means other then xdm you will not be able to login.  sshd, rshd, telnetd will all fail.

If you put the machine into permissive mode  or disable selinux, you  will no longer be able to login as this user.  This will not effect a currently logged in user however.

You can also use Fast User Switching to switch to this user.  Just add the User Switcher applet to your tool bar and select xguest.  You should switch to this account and be automagically logged in.

To add additional security to this account, it would be useful to have all files/directories removed that were created by the xguest user.  So if a new person uses the xguest, he can guarantee a clean environment.  So we can setup pam_namespace to generate a new Homedir, /tmp and /var/tmp. Every time the X Windows session ends.  You need pam_namespace.so added to /etc/init.d/gdm for this, as shown above.

Also add these lines to /etc/secuirty/namespace.conf
/tmp    tmpfs   tmpfs   ~xguest
/var/tmp        tmpfs   tmpfs   ~xguest
$HOME           tmpfs   tmpfs   ~xguest

This says to generate three temporary filesystems mounted on  /tmp, /var/tmp and $HOME directory for only xguest any time he logs in.

I have generated an rpm package and spec file that will set this all up for you.  You can try this out at


There are three booleans that you can set for this account.
getsebool -a | grep xguest

  • browser_confine_xguest

    This indicates whether the xguest account will transition to xguest_mozilla_t or not.  If you turn this boolean on, xguest will be able to browse the web using firefox/mozilla.  If you turn it off the account will only be allowed to run mozilla/firefox locally.  You will not have any access to the net.

  • browser_write_xguest_data

This will determine whether firefox can write to the home directory or not.

If this boolean is turned off firefox will only be allowed to write to .mozilla and .gnome in the home directory.
If you wanted to add a download directory you could add a file context and label it xguest_mozilla_home_t

# semanage fcontext -a -t xguest_mozilla_home_t /home/xguest/Download(/.*)?
# restorecon -R -v ~/xguest
  • allow_xguest_exec_content
This boolean determines whether the xguest account can execute files in its home directory or /tmp.  This can prevent some forms of attack on users.

I have created xguest.spec and xguest-1.0.0-1.fc8.noarch.rpm

out on
Which will set everything up for you.  Try it out and tell me what you think.

nice man


2007-11-09 02:47 am (UTC)

seems cool man, SELinux is an amazing thing,
however it still lacks the easinesse of other tools.

im using it to enforce security from my univ friends,
altough they can compromise the system if they live boot a cd :(

hoewver selinux have a lot of advantages and im grateful ( a bit )
that nsa has done something useful for once.
selinux is great, and i loved your article. a confined environment can
save a lot of problems, regarding local security.

it still hard to implement but its cool.
im gonna try it. good job man!!

Re: nice man


2007-11-19 09:46 pm (UTC)

Easy solution to LiveCD hole:

1) disable CD boot in BIOS
2) BIOS password
3) grub password

Set a bios password 2. Disable booting off floppy/flash/cd in yoru bios That way they need to get into your bios first and then change the boot settings.

>> it still hard to implement but its cool.
>> im gonna try it. good job man!!

I think so too!

pam usage


2007-11-15 04:01 am (UTC)

Small implementation nitpick:

The PAM module should be used for an account service (as it really has
nothing to do with authentication).

PAM allows integration of various authentication technologies


USB Keys


2007-12-03 08:26 pm (UTC)

It would be handy to allow secure access to a USB key for the Kiosk user to upload from (email attachments ?) and to download onto.
I imagine, though, that this is non trivial:
  • allow the user to mount/unmount a USB storage device,
  • allow read and write by browser to files on that USB device only (ie not any other mounted USB devices),
  • restrict execution of files on that device, etc.
Looks neat though, even if I don't have F8 yet to try it out :-)

Just my $0.02

The Latest Fedora 8 policy includes the boolean


Which when turned on allow the xguest user to mount usb devices and write to them.

It would not differentiate between other mounted usb devices, but I think DAC would prevent the user from doing something to those.

Intel wanted to do something better but felt it had to react to competition and thus released quickly made the just to have something.

Sabayon patch?


2008-01-05 12:14 pm (UTC)

Could be a good idea to add the sabayon patch to the xguest downloads? Or is sabayon already patched in the Fedora version? I can't get sabayon to work for xguest, will be trying the patch tomorrow.

It is packages with Fedora.

BTW xguest is now available for Fedora 8.

/home/xguest not cleaned up


2008-01-31 02:48 pm (UTC)

I gave the xguest package a try but could not get it properly running. After installation of the xguest-1.0.6-2.fc8 rpm package the file /etc/security/namespace.conf has the entries you explained above. Also the /etc/pam.d/gdm has the namespace plugin loaded as described above. After a xguest login the directories /tmp and /var/tmp are changed but _not_ the $HOME directory. I can create files and after a logout they still exist.
Did I miss something?

Re: /home/xguest not cleaned up


2008-01-31 03:02 pm (UTC)

Ok, as it seems to me the fact that the files which are created during the session still stay as long as the next login of xguest. They get deleted as soon as the next xguest login starts. A little bit strange but OK ;-)

Re: /home/xguest not cleaned up


2008-01-31 03:25 pm (UTC)

I think you have stumbled upon a bug, that we have been fixing in pam_selinux_permit.

Not all processes are guaranteed to be killed on logout. So if a stray process (bonobo?) is still running, it will prevent pam_namespace from unmounting the homedir, and thus cleaning up the temporary file system. When you log in a second time. A new temporary file system is getting mounted over the old homedir so you see the files dissapear.

The new pam_selinux_permit will allow us to set an exclusive flag.

# /etc/security/sepermit.conf
# Each line contains either:
# - an user name
# - a group name, with @group syntax
# - a SELinux user name, with %seuser syntax
# Each line can contain optional arguments separated by :
# The possible arguments are:
# - exclusive - only single login session will
# be allowed for the user and the user's processes
# will be killed on logout

This flag will prevent a user from logging in without a password if a process is running with this UID. AND it will try to kill all processes running with the UID when you log out, which would allow the homedir to be unmounted.

I hope to get this back ported to Fedora 8 and I will update the xguest package to take advantage.

Re: /home/xguest not cleaned up


2008-04-14 08:50 am (UTC)

at the beginning Sorry for my english:-((
I've problem:
I need to Creat a Kiosk on Fedora 8 but I want open only windows aplication from wine tool on start.
it is possible??
If Yes -Please explain me step by step how I can do this.
I will add I am beginner user of Linux;-(

Please HELP

Re: /home/xguest not cleaned up


2008-04-14 12:38 pm (UTC)

Please take questions like these to the Fedora-SELinux email list.

Re: /home/xguest not cleaned up


2008-04-14 01:07 pm (UTC)

Thanks danwalsh:)

You are viewing danwalsh