danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
X Guest Again
danwalsh
Now that Fedora 8 is approaching completion,  I have cut a new version of xguest.rpm

You must be fully updated to the latest rawhide.

To install you can copy down the rpm then execute

yum install --nogpgcheck xguest-1.0.1-2.fc8.noarch.rpm

This should also bring in the latest sabayon code.

This rpm will create an xguest user account with a disabled password.

You can not log into this account by anything but gdm when SELinux is in enforcing mode.

It uses pam_selinux_permit to perform this magic.

This rpm sets up pam_namespace to mount a temporary file system for /tmp, /var/tmp and $HOME.

It also uses sabayon to change the default login.  Basically it removes any of the privledged panel apps that a normal login session would run

setroubleshoot, network manager, performance manager. logout.

You should have a full login session, but not be able to talk to any network ports, other then using firefox to talk to the web, other apps like curl , and links will fail.  You can not run any setuid applications. 

Try it out and tell me what you think.

This is by design. I didn't want a kiosk user to be able to change the network settings on the machine. You can customize policy to allow this, though.

require {
type xguest_t;
}

#============= xguest_t ==============
networkmanager_dbus_chat(xguest_t)

This will allow the xguest user to run nm-applet to communicate with the NetworkManager. You would need to use sabayon to read nm-applet as a application on startup also.

With Kiosk you can create profiles that are attached to users or groups of users. A profile can define any KDE setting, but usually includes the contents of the desktop, panel, and K Menus, as well as the choice of wallpaper, default fonts, and widget style.

You are viewing danwalsh