August 24th, 2007

New Features in Fedora 8 - policy for my wife ...

At my house right now I have 6 Machines that receive IP Addresses from my Wireless router.  I have two laptops for my Wife and I, both running Fedora Linux.  BTW my wife is not computer literate.  She uses the machine to read email and web browse.  We also own a Wii, a PSP and a Tivo.  Every one of these machines can browse the web. 

Finally I have a Windows XP box, that my kids have used to run their computer games.  Now that we have the Wii, this is becoming much less important. 

I also used to use the Windows box to do my taxes, with software that was not available on my Linux box.  Well this past spring, I did my taxes on line, so that eliminates my last real need to run Windows XP. 

Another problem we have always had as a household, is keeping our schedules coordinated.  With three teenage boys, we needed a shared calendar.  So the calendar on the fridge was not making it any longer.  Google Calendar comes to the rescue. 

A few years ago I bought a Digital Camera and we started to store the pictures on my PC, but we never back it up.  I don't want to have to deal with this, so we live in danger of loosing many memories.   Flickr comes to the rescue.

During the summer my kids were having a party at my house, and I asked if they had sent emails to their friends to invite them.  They looked at me like I had just suggested that they use the Pony Express.  They told me they used a My Space invitation...

When I was talking to Chris Blizzard about OLPC, I asked what mail client they were going to use.  He said, not his problem.  They use Firefox and web based mail  Gmail, Hotmail, yahoo mail whatever.

I have been hearing about SaaS, Software as a Service for a few years, and thought that is was a bunch of hype, but I now believe it is a reality. 

Read Havoc Pennington's writing about the online desktop, and he will convince you

So the question I have for everyone, are we at the point where it does not matter what is the OS that is running on the Machine, the only question is how good is the web browser.    Do you know what OS is running on your Wii, PSP, Tivo, Cell Phone, PS 3, XBox?  No?  Who Cares?  This is the reason Microsofts control on the Desktop is dieing. 

So what the hell does this have to do with SELinux...

We now have an SELinux policy for my wife...  And probably soon for most users.  This policy allows her to log into an X session and run Firefox.  SELinux will not her to execute anything in here home directory or in /tmp.  Not that she would know how.  She is not allowed to connect to the network except through Firefox.  She is allowed to run all applications on the local box that a normal user would, but none of them except Firefox are able to use the network.  Firefox is not allowed to write to any directory in her homedir except ~/.mozilla and ~/.gnome.  Firefox is only allowed to connect to the network ports that it needs.

So if she accidentally down loads a virus, she can't execute it.  If firefox becomes compromised, a spam bot would not be allowed to send mail.

I am picking on my wife, but this policy probably would work for most college students, most knowledge works, my 75 Year old father will get this policy.  It would be nice if the Wii, PSP, and Tivo ran with this policy...

This is called the xguest_u user and all Fedora 8 Machines have it.

If you want to setup a user account with this policy you can simply execute
useradd -Z xguest_u username
usermod -Z xguest_u username

Now since this account can get full access to the Internet via firefox, the user experience is still fine, and the machine is much more secure then any client machine available today.

As I talked in a previous blog, we also have a locked down Terminal Only SELinux User, the guest_u account.  This is a user that can not talk connect to he network, can not execute files in /tmp/ or home directory, can not run any setuid apps or become root. You can't login via X.  The user is perfect for terminal servers, git, web server accounts where a user is allowed to customize their public_html directory.  Basically any machine that gives out only sshd access.

How do I set this user up on Fedora 8?

useradd -Z guest_u username
usermod -Z guest_u username

So try it out...

Next SELinux for Kiosks...