Log in

No account? Create an account

Previous Entry Share Next Entry
New Features in Fedora 8 - policy for my wife ...
At my house right now I have 6 Machines that receive IP Addresses from my Wireless router.  I have two laptops for my Wife and I, both running Fedora Linux.  BTW my wife is not computer literate.  She uses the machine to read email and web browse.  We also own a Wii, a PSP and a Tivo.  Every one of these machines can browse the web. 

Finally I have a Windows XP box, that my kids have used to run their computer games.  Now that we have the Wii, this is becoming much less important. 

I also used to use the Windows box to do my taxes, with software that was not available on my Linux box.  Well this past spring, I did my taxes on line, so that eliminates my last real need to run Windows XP. 

Another problem we have always had as a household, is keeping our schedules coordinated.  With three teenage boys, we needed a shared calendar.  So the calendar on the fridge was not making it any longer.  Google Calendar comes to the rescue. 

A few years ago I bought a Digital Camera and we started to store the pictures on my PC, but we never back it up.  I don't want to have to deal with this, so we live in danger of loosing many memories.   Flickr comes to the rescue.

During the summer my kids were having a party at my house, and I asked if they had sent emails to their friends to invite them.  They looked at me like I had just suggested that they use the Pony Express.  They told me they used a My Space invitation...

When I was talking to Chris Blizzard about OLPC, I asked what mail client they were going to use.  He said, not his problem.  They use Firefox and web based mail  Gmail, Hotmail, yahoo mail whatever.

I have been hearing about SaaS, Software as a Service for a few years, and thought that is was a bunch of hype, but I now believe it is a reality. 

Read Havoc Pennington's writing about the online desktop, and he will convince you

So the question I have for everyone, are we at the point where it does not matter what is the OS that is running on the Machine, the only question is how good is the web browser.    Do you know what OS is running on your Wii, PSP, Tivo, Cell Phone, PS 3, XBox?  No?  Who Cares?  This is the reason Microsofts control on the Desktop is dieing. 

So what the hell does this have to do with SELinux...

We now have an SELinux policy for my wife...  And probably soon for most users.  This policy allows her to log into an X session and run Firefox.  SELinux will not her to execute anything in here home directory or in /tmp.  Not that she would know how.  She is not allowed to connect to the network except through Firefox.  She is allowed to run all applications on the local box that a normal user would, but none of them except Firefox are able to use the network.  Firefox is not allowed to write to any directory in her homedir except ~/.mozilla and ~/.gnome.  Firefox is only allowed to connect to the network ports that it needs.

So if she accidentally down loads a virus, she can't execute it.  If firefox becomes compromised, a spam bot would not be allowed to send mail.

I am picking on my wife, but this policy probably would work for most college students, most knowledge works, my 75 Year old father will get this policy.  It would be nice if the Wii, PSP, and Tivo ran with this policy...

This is called the xguest_u user and all Fedora 8 Machines have it.

If you want to setup a user account with this policy you can simply execute
useradd -Z xguest_u username
usermod -Z xguest_u username

Now since this account can get full access to the Internet via firefox, the user experience is still fine, and the machine is much more secure then any client machine available today.

As I talked in a previous blog, we also have a locked down Terminal Only SELinux User, the guest_u account.  This is a user that can not talk connect to he network, can not execute files in /tmp/ or home directory, can not run any setuid apps or become root. You can't login via X.  The user is perfect for terminal servers, git, web server accounts where a user is allowed to customize their public_html directory.  Basically any machine that gives out only sshd access.

How do I set this user up on Fedora 8?

useradd -Z guest_u username
usermod -Z guest_u username

So try it out...

Next SELinux for Kiosks...

  • 1
Very cool new feature. Thanks for keeping us up to date on the latest in the SELinux / Fedora world

Two, We plan on keeping it up to date with every new amaroK release, so it will stay current and I guess could be called a distribution unto itself.

What about local network access for lan games?

How hard would it be to make a variant where properly tagged network packets could be sent. The use case would be a game that needed access to the local network to play with other players, but which should not have access to the internet at large.
DNS might be a bit sticky, since information could be leaked through that, so probably even local DNS would be blocked.

How about PDF files downloaded from net? Any other file format supported by separate application like OO?

Yes you can look at documents from the Web via Open Office or evince for example, but these tools will be running under the xguest_firefox_t domain. So they will follow the same rules. Now the user could save the document to /tmp or ~/.mozilla or ~/Download directory, and then run open office or evince to look at the files separately.

I did not mention that there are two booleans to control the use of firefox also.

browser_confine_xguest --> on
browser_write_xguest_data --> off

The first one allows the xguest domain to transition to xguest_firefox_t, If you turn this off the transition will not happen and firefox would be in local only mode. IE Only able to read what the user can read off the local system. The second boolean would allow firefox to write to the users home dir. If you want to see something cool about this policy. Execute

links www.redhat.com

Will give you a failure to connect.

firefox www.redhat.com

will succeed.

Yes you could setup something like this, but this is a fairly advanced setup. I will blog on customizing userspace domains next week.

And after you set up Linux you get to have more fun still figuring out how to actually get any programs for the thing.

How I can use this policy at Fedora 6 / RHEL5 ?

Thank You for site

Thank you for your site. I have found here much useful information.
Good site ! ;)

Friends come? thanks

enter text? test, sorry



Great website! Bookmarked! I am impressed at your work!


test message 879


Where can I find popular sites?

Hi nto All
Please, tell me
information,that is most popular about anything,but only legal and not adult.
With best regards.

  • 1