danwalsh (danwalsh) wrote,
danwalsh
danwalsh

Introducing the Fedora Kiosk Spin

Fedora Kiosk

I have just published a Fedora Kiosk Live Image.

https://fedoraproject.org/wiki/Fedora_Kiosk

This image is still under development (as is F13). 

If you would like to play with it and give feedback, that would be great.

A while back I developed the xguest_t user type with the idea to build a kiosk type environment.  I built the xguest package which created an xguest_t user.  I also added pam_sepermit that would allow certain users (xguest) to login without a password if SELinux was on in enforcing mode.   It also uses pam_namespace to setup temporary home directory and /tmp directory.

My end goal was to create an operating system that could only be used as a kiosk.

Imagine a machine sitting at a library, that had no operating system on it, except a livedvd.  The livedvd has a disabled root account, and the only user account is xguest.  The xguest account can only talk to web ports and when you logout all files and processes get destroyed so there is nothing left in the user account for the next user to search for.  And since all processes are destroyed on logout, you can be assured no one left a process to watch your keystrokes.  If the machine gets hosed up for any reason, the library can just reboot the machine and have a clean system.

If someone wanted to enhance this system, they could build a live image, where iptables force all network traffic to go to a singe host or network.  You could lock down you kiosk to only work on said network. 

A couple of goals of mine, would be to get livecd-to-pxeboot to work.  Then you could have a machine in your environment that could download the operating system over the network and have no media available at the machine.
Currently the livedvd can be interrupted on boot.  I have a patch for livecd-tools that allows you to stop this, but it was not acceptable to upstream, since it only worked on x86 based machines.  I was adding totaltimeout=1 to the syslinux.cfg file.  This makes the boot uninterrupted.  If you build a liveusb you can cd into the syslinux directory and make this change yourself.

And yes this functionality will be available in Red Hat Enterprise Linux 6.



Subscribe

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

  • 4 comments