danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Introducing the Fedora Kiosk Spin
danwalsh
Fedora Kiosk

I have just published a Fedora Kiosk Live Image.

https://fedoraproject.org/wiki/Fedora_Kiosk

This image is still under development (as is F13). 

If you would like to play with it and give feedback, that would be great.

A while back I developed the xguest_t user type with the idea to build a kiosk type environment.  I built the xguest package which created an xguest_t user.  I also added pam_sepermit that would allow certain users (xguest) to login without a password if SELinux was on in enforcing mode.   It also uses pam_namespace to setup temporary home directory and /tmp directory.

My end goal was to create an operating system that could only be used as a kiosk.

Imagine a machine sitting at a library, that had no operating system on it, except a livedvd.  The livedvd has a disabled root account, and the only user account is xguest.  The xguest account can only talk to web ports and when you logout all files and processes get destroyed so there is nothing left in the user account for the next user to search for.  And since all processes are destroyed on logout, you can be assured no one left a process to watch your keystrokes.  If the machine gets hosed up for any reason, the library can just reboot the machine and have a clean system.

If someone wanted to enhance this system, they could build a live image, where iptables force all network traffic to go to a singe host or network.  You could lock down you kiosk to only work on said network. 

A couple of goals of mine, would be to get livecd-to-pxeboot to work.  Then you could have a machine in your environment that could download the operating system over the network and have no media available at the machine.
Currently the livedvd can be interrupted on boot.  I have a patch for livecd-tools that allows you to stop this, but it was not acceptable to upstream, since it only worked on x86 based machines.  I was adding totaltimeout=1 to the syslinux.cfg file.  This makes the boot uninterrupted.  If you build a liveusb you can cd into the syslinux directory and make this change yourself.

And yes this functionality will be available in Red Hat Enterprise Linux 6.




will have a try. thanks.

You may have just saved me a ton of (heart | head) aches. I am willing to run this at home. I did not look yet, does it support a USB flash drive?

I had not done it yet, but I was mentally going through all of the steps so that I would have a similar foundation for a std installation:

- write bash/perl script to wipe out current account and create a new user account every time user logs out
- create a base folder for a set of applications that can be used to access the Internet that will be accessible for all to use
- to the screen, throw a set of images of characters of what the user account name will be and the password at log out for the next use. User has to write down the next username and password or they will not be able to access as a standard user. If they forget, they must log in as root and rerun shell script to set the event in motion to post the information.
- Make next username and password from randomized set of characters, set in to images, with the image file names not representative of the image contents.
- log in is not via keyboard but clicking on screen full of images! Hahaha....lots of fun.

I have some other stuff with regard to this, and am not going to say anything yet. I am going to take a look at what you've done.

I have been on and off a reader of your work and involvement in the development of SE Linux. I am not an expert in security, but this type of systems administration is much more fun than the standard fare.

Thanks!
Thomas

We use a tmpfs for the homedir. And mount it using pam_namespace when the user logs. It also copies the contents of /etc/skel. So if you wanted a presetup user account, you could put all the files in the /etc/skel directory.


We do not require a login. It is using pam_sepermit, which allows specified users to login without a password, if SELinux is on in enforcing mode.

kiosk version has been updated to an i386 version.

danwalsh

2010-05-13 05:12 pm (UTC)

Once this becomes a formal spin, I should be able to provide multiple versions for different OS. Since most machines can boot i386, I will just release this version for now.

You are viewing danwalsh