/home/xguest not cleaned up

I gave the xguest package a try but could not get it properly running. After installation of the xguest-1.0.6-2.fc8 rpm package the file /etc/security/namespace.conf has the entries you explained above. Also the /etc/pam.d/gdm has the namespace plugin loaded as described above. After a xguest login the directories /tmp and /var/tmp are changed but _not_ the $HOME directory. I can create files and after a logout they still exist.
Did I miss something?

Ok, as it seems to me the fact that the files which are created during the session still stay as long as the next login of xguest. They get deleted as soon as the next xguest login starts. A little bit strange but OK ;-)

I think you have stumbled upon a bug, that we have been fixing in pam_selinux_permit.

Not all processes are guaranteed to be killed on logout. So if a stray process (bonobo?) is still running, it will prevent pam_namespace from unmounting the homedir, and thus cleaning up the temporary file system. When you log in a second time. A new temporary file system is getting mounted over the old homedir so you see the files dissapear.

The new pam_selinux_permit will allow us to set an exclusive flag.

# /etc/security/sepermit.conf
# Each line contains either:
# - an user name
# - a group name, with @group syntax
# - a SELinux user name, with %seuser syntax
# Each line can contain optional arguments separated by :
# The possible arguments are:
# - exclusive - only single login session will
# be allowed for the user and the user's processes
# will be killed on logout

This flag will prevent a user from logging in without a password if a process is running with this UID. AND it will try to kill all processes running with the UID when you log out, which would allow the homedir to be unmounted.

I hope to get this back ported to Fedora 8 and I will update the xguest package to take advantage.

Please take questions like these to the Fedora-SELinux email list.

Thanks danwalsh:)

