danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Breaking news on Xguest.
danwalsh

When I first started talking about xguest, I talked about it as finally a policy I can use to control my Wife, well at least her Internet activities.  It is a good thing she does not read my blog.  Well this past week I updated her laptop to Fedora 8 (Great Distribution).  And now she is officially logging in as a SELinux user XGuest.  So far she has not noticed.  Next goal my 75 year old father.  :^)  

Which brings me to one of my pet projects.  A few years ago, my father decided he needed to get on the Internet.  It was the thing to do as a 70 year old retired guidance  councilor.  Even though in forty years of teaching and guidance, he had never typed anything.  He always had secretaries for that.  So I helped him go out an buy a cheap PC, for a round four hundred dollars.  He wanted to do email and use the Internet.  So the PC came with Windows XP on it, and I helped him set it up and we downloaded the latest Windows Updates, and virus protection tools. I also put in a Linsys router on his network to handle firewall duties.  Within a couple of weeks the machine was loaded with spy apps, viruses and he had pop ups everywhere.  I, of course, am his 24 hour on call system administrator, and I live 45 minutes away.  He was constantly calling me with problems.   

I thought this is nuts, and I took my Fedora Core 3 CD with me and replaced the OS with Fedora.  I thought that I could setup the machine with an ssh account and setup the Linsys router to allow me in, so I could fix any problems he got into remotely.  Well I never actually setup ssh, and over the last few years, he has never had a problem.  His machine runs Fedora Core 6 with SELinux in enforcing mode.   And over Thanksgiving I will upgrade him to Fedora 8.  He has not had a single problem with virus or pop-ups or any other Windows type problem with the Fedora box.  He has communicated with his friends and relatives and his System Administrator is very happy.    His only problem is accidentally moves panels around or removes menus from Firefox.  So I am planning on using Sabayon to lock down his desktop, and then using xguest to further lock down his environment.  So he loves Fedora and makes fun of his freinds when they complain of problems with their computers.   Of course he still stinks at typing.

Back to xguest.

One of the things I saw with my wife's Laptop, she was not able to connect to the network, when she logged in.  So I had to add NetworkManager_chat(xguest_t).  I will be adding this to the xguest policy in the next Fedora 8 policy.  I have also been contacted by some government people, who do not want there users  to use removable disks on there computers.  I needed to add a boolean on whether or not xguest_t can talk to hal to tell it to mount usb devices.  Currently xguest_t can also communicate with bluetooth devices.  I updated xguest policy with three booleans to control access to removable devices, bluetooth and the network.  

Also other great news is that SELinux Policy upstream has accepted my patches, for limited access roles/users.  And the current Reference policy has my code in it.  Of course Christopher J. PeBenito changed the names of the interfaces.  If you want to create the least privileged X Windows login user you can use the userdom_restricted_xwindows_user_template interface.    The least privileged  terminal or ssh  login is  userdom_restricted_user_template.

My xguest policy for Fedora 8 (selinux-policy-3.0.8-57.fc8)  looks like:

policy_module(xguest,1.0.1)

## <desc>
## <p>
## Allow xguest users to mount removable media
## </p>
## </desc>
gen_tunable(xguest_mount_media,false)

## <desc>
## <p>
## Allow xguest to configure Network Manager
## </p>
## </desc>
gen_tunable(xguest_connect_network,false)

## <desc>
## <p>
## Allow xguest to use blue tooth devices
## </p>
## </desc>
gen_tunable(xguest_use_bluetooth,false)

userdom_restricted_xwindows_user_template(xguest)

mozilla_per_role_template(xguest, xguest_t, xguest_r)

# Allow mounting of file systems
optional_policy(`
        tunable_policy(`xguest_mount_media',`
                hal_dbus_chat(xguest_t)
        ')
')

optional_policy(`
        tunable_policy(`xguest_connect_network',`
                networkmanager_dbus_chat(xguest_t)
        ')
')

optional_policy(`
        tunable_policy(`xguest_use_bluetooth',`
                bluetooth_dbus_chat(xguest_t)
        ')
')

Type your cut contents here.

xguest and rpm

(Anonymous)

2007-11-17 09:33 pm (UTC)

i have been using xguest for a while now, with a secondary account and it's pretty cool, so thanks!.

But i wonder are there any plans to include selinux support to rpm in the fedora 9 road map and if not when. The reason i ask is that to me that seems to be the only major problem selinux has, (at least from a distribution perspective).

Thanks in advance.

Japan seems to be the only place (at least as far as I can tell) where "The Coca-Cola Company" has managed to produce soft-drinks that do not contain ridiculous amounts of sugar or artificial sweetener.

You are viewing danwalsh