James Morris (james_morris) wrote,
James Morris

Using SELinux Kiosk Mode in Fedora 8

Fedora 8 now has support for Dan Walsh's SELinux kiosk mode, or xguest, which he has previously described in some detail.

The good news is that it's utterly simple to use:

  1. Upgrade to the very latest Fedora 8 -- simply ensure you have run:

    # yum update

  2. Install the xguest package and necessary dependencies:

    # yum install xguest

  3. Ensure you're running SELinux in enforcing mode:

    # getenforce

  4. Log out from X, and you should see a new "X Guest User" user in the GDM welcome screen:

    GDM login screen with X Guest User

  5. Click on the X Guest User account, and you will be logged straight into a GNOME session.

The GNOME session will run as a very tightly locked down SELinux account, which can only be accessed via GDM. It is essentially authorized only to surf the web.

PAM namespace is utilized so that the session has private views of shared writable filesystem space (e.g. /tmp), while Sabayon is used to load a custom GNOME configuration.

Any local changes made by the user, such as writes to $home or their desktop settings will be lost after they log out.

Thomas Mraz's PAM SELinux permit package ensures that the xguest account is only active in enforcing mode, to ensure the account cannot be used to attack the system if it is in permissive mode.

Further technical detail may be found in the package's README file.

Where would you use this? Dan has found it useful for family members with various levels of computer skill, while I can imagine that xguest would also be quite handy for things like LUG events, conference booths, training, Linux demonstrations, information kiosks etc.

If you come up with any cool uses, or enhancements, please let us know.


  • All my talk slides are now on Slideshare

    I've uploaded the slides from essentially all of the talks I've given to Slideshare. This is likely more useful than my previous strategy of dumping…

  • SELinux for Humans

    I mean, SLUGs... Paul Wayper gave a couple of talks on SELinux at this weeks' SLUG meeting, and includes links to a couple of very useful slide…

  • Security subsystem changes in the 2.6.30 kernel

    Here's an update on the major changes to the kernel security subsystem for the 2.6.30 kernel. TOMOYO The TOMOYO security framework from NTT was…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment