• 1

nice man

seems cool man, SELinux is an amazing thing,
however it still lacks the easinesse of other tools.

im using it to enforce security from my univ friends,
altough they can compromise the system if they live boot a cd :(

hoewver selinux have a lot of advantages and im grateful ( a bit )
that nsa has done something useful for once.
selinux is great, and i loved your article. a confined environment can
save a lot of problems, regarding local security.

it still hard to implement but its cool.
im gonna try it. good job man!!

Re: nice man

Easy solution to LiveCD hole:

1) disable CD boot in BIOS
2) BIOS password
3) grub password

Set a bios password 2. Disable booting off floppy/flash/cd in yoru bios That way they need to get into your bios first and then change the boot settings.

>> it still hard to implement but its cool.
>> im gonna try it. good job man!!

I think so too!

pam usage

Small implementation nitpick:

The PAM module should be used for an account service (as it really has
nothing to do with authentication).

PAM allows integration of various authentication technologies


USB Keys

It would be handy to allow secure access to a USB key for the Kiosk user to upload from (email attachments ?) and to download onto.
I imagine, though, that this is non trivial:
  • allow the user to mount/unmount a USB storage device,
  • allow read and write by browser to files on that USB device only (ie not any other mounted USB devices),
  • restrict execution of files on that device, etc.
Looks neat though, even if I don't have F8 yet to try it out :-)

Just my $0.02

The Latest Fedora 8 policy includes the boolean


Which when turned on allow the xguest user to mount usb devices and write to them.

It would not differentiate between other mounted usb devices, but I think DAC would prevent the user from doing something to those.

Intel wanted to do something better but felt it had to react to competition and thus released quickly made the just to have something.

Sabayon patch?

Could be a good idea to add the sabayon patch to the xguest downloads? Or is sabayon already patched in the Fedora version? I can't get sabayon to work for xguest, will be trying the patch tomorrow.

Re: Sabayon patch?

It is packages with Fedora.

BTW xguest is now available for Fedora 8.

/home/xguest not cleaned up

I gave the xguest package a try but could not get it properly running. After installation of the xguest-1.0.6-2.fc8 rpm package the file /etc/security/namespace.conf has the entries you explained above. Also the /etc/pam.d/gdm has the namespace plugin loaded as described above. After a xguest login the directories /tmp and /var/tmp are changed but _not_ the $HOME directory. I can create files and after a logout they still exist.
Did I miss something?

Re: /home/xguest not cleaned up

Ok, as it seems to me the fact that the files which are created during the session still stay as long as the next login of xguest. They get deleted as soon as the next xguest login starts. A little bit strange but OK ;-)

Re: /home/xguest not cleaned up

I think you have stumbled upon a bug, that we have been fixing in pam_selinux_permit.

Not all processes are guaranteed to be killed on logout. So if a stray process (bonobo?) is still running, it will prevent pam_namespace from unmounting the homedir, and thus cleaning up the temporary file system. When you log in a second time. A new temporary file system is getting mounted over the old homedir so you see the files dissapear.

The new pam_selinux_permit will allow us to set an exclusive flag.

# /etc/security/sepermit.conf
# Each line contains either:
# - an user name
# - a group name, with @group syntax
# - a SELinux user name, with %seuser syntax
# Each line can contain optional arguments separated by :
# The possible arguments are:
# - exclusive - only single login session will
# be allowed for the user and the user's processes
# will be killed on logout

This flag will prevent a user from logging in without a password if a process is running with this UID. AND it will try to kill all processes running with the UID when you log out, which would allow the homedir to be unmounted.

I hope to get this back ported to Fedora 8 and I will update the xguest package to take advantage.

Re: /home/xguest not cleaned up

at the beginning Sorry for my english:-((
I've problem:
I need to Creat a Kiosk on Fedora 8 but I want open only windows aplication from wine tool on start.
it is possible??
If Yes -Please explain me step by step how I can do this.
I will add I am beginner user of Linux;-(

Please HELP

Re: /home/xguest not cleaned up

Please take questions like these to the Fedora-SELinux email list.

Re: /home/xguest not cleaned up

Thanks danwalsh:)

  • 1

Log in