Rudy Ruckerの同名の著書とは直接関係ありませんが、私の思考の道具箱であることは確かです。大抵のページは書きかけで、内容も不完全ですのでご注意を。

Creating a Kiosk Account using SELinux and Fedora 8.


Over the last few months, in between playing my own personal version of Wack A Mole (AVC). I have been working on Roles Based Access Control (RBAC) or confining users.
As I have explained in previous blogs, I have defined a policy to be used for the least privledged login terminal and X Windows users.

One of the goals of this was to define a Kiosk User account. the idea was to secure these machines that you can walk up to at the library, bank, airport, coffee shop and just login and use the internet. So I investigated how to do this with SELinux.

できあがったアカウント設定をFedoraのデスクトップ開発チームのJonathan Blandfordに見せてみたところ、Fast User Switchingのメニューで使えるアカウントとして登録できたらいいんじゃないか、と言ってくれた。
I demonstrated this account to Jonathan Blandford from the Fedora Desktop Team saw it and suggested it would be cool to use one of these accounts with Fast User Switching.
One problem with this, we need to be able to use this account without a password.
From a security stand point. we can only protect the account if SELinux is enabled and in enforcing mode.
そのため、新しいPAMのモジュールが必要になったので、Tomas Mrazに頼んでpam_selinux_permitというモジュールを作ってもらった。
We needed a new pam module for this. I asked Tomas Mraz to look into this and he created pam_selinux_permit

man pam_selinux_permit



pam_selinux_permit - SELinuxのenforcementの状態によって、ログインの可否を決定するPAMのモジュール
pam_selinux_permit - PAM module to allow/deny login depending on SELinux enforcement state

SYNOPSIS [debug] [conf=/path/to/config/file]


The pam_selinux module allows or denies login depending on SELinux enforcement state.

When the user which is logging in matches an entry in the config file he is allowed access only when the SELinux is in enforcing mode.
Otherwise he is denied access. For users not matching any entry in the config file the pam_selinux_permit module returns PAM_IGNORE return value.

The config file contains a simple list of user names one per line. If the name is prefixed with @ character it means that all users in the group name match. If it is prefixed with a % character the SELinux user is used to match against the name instead of the account name. Note that when SELinux is disabled the SELinux user assigned to the account cannot be determined. This means that such entries are never matched when SELinux is disabled and pam_selinux_permit will return PAM_IGNORE.

Now we can create an xguest account with disabled password. Then we can setup xdm to use pam_selinux_permit.

# useradd -Z xguest_u xguest

# cat /etc/pam.d/gdm
auth [success=done ignore=ignore default=bad]
auth required
auth include system-auth
auth optional auto_start
account required
account include system-auth
session required open
session required
session optional

/etcv/security/sepermit.conf にxguestユーザを追加する
Add the xguest user to the /etcv/security/sepermit.conf

# cat /etc/security/sepermit.conf
# /etc/security/sepermit.conf
# Each line contains either:
# - an user name
# - a group name, with @group syntax
# - a SELinux user name, with %seuser syntax

If SELinux is in enforcing mode, you can log into this account just by clicking on the xguest user.
もし、xdm以外の方法でこのアカウントでログインしようとすると、ログインに失敗するだろう。sshd, rshd, telnetdのいずれもダメなはずだ。
If you try to reach this accound by any means other then xdm you will not be able to login. sshd, rshd, telnetd will all fail.

If you put the machine into permissive mode or disable selinux, you will no longer be able to login as this user. This will not effect a currently logged in user however.

このアカウントはFast User Switchingでも有効だ。ツールバーにUser Switcherのアプレットをインストールして、xguestを選択すればいい。パスワードを入力することもなく、自動的にxguestとしてログインしてしまう。
You can also use Fast User Switching to switch to this user. Just add the User Switcher applet to your tool bar and select xguest. You should switch to this account and be automagically logged in.

To add additional security to this account, it would be useful to have all files/directories removed that were created by the xguest user.
そうすれば、xguestを使った新人さんがマシンの環境を荒らす心配はなくなる。そのために、pam_namespaceを使って、xguestが使用したXウィンドウのセッションが終了するたびに、ホームディレクトリと/tmp、/var/tmp を毎回生成し直してやればいい。 すでに示したように /etc/init.d/gdm に pam_namespace.soの項目が追加してあれば問題ない。
So if a new person uses the xguest, he can guarantee a clean environment. So we can setup pam_namespace to generate a new Homedir, /tmp and /var/tmp. Every time the X Windows session ends. You need added to /etc/init.d/gdm for this, as shown above.

そして、/etc/security/namespace.conf に以下の行を追加する
Also add these lines to /etc/secuirty/namespace.conf

/tmp tmpfs tmpfs ~xguest
/var/tmp tmpfs tmpfs ~xguest
$HOME tmpfs tmpfs ~xguest

この設定は、xguestがログオンするたびに/tmp, /var/tmp と$HOMEに一時的なファイルシステムを生成して割り当てるという意味だ。
This says to generate three temporary filesystems mounted on /tmp, /var/tmp and $HOME directory for only xguest any time he logs in.

I have generated an rpm package and spec file that will set this all up for you. You can try this out at

There are three booleans that you can set for this account.

getsebool -a | grep xguest
* browser_confine_xguest

This indicates whether the xguest account will transition to xguest_mozilla_t or not. If you turn this boolean on, xguest will be able to browse the web using firefox/mozilla. If you turn it off the account will only be allowed to run mozilla/firefox locally. You will not have any access to the net.
* browser_write_xguest_data

This will determine whether firefox can write to the home directory or not.

If this boolean is turned off firefox will only be allowed to write to .mozilla and .gnome in the home directory.
もし、ダウンロード用のディレクトリを追加したい場合には、そのディレクトリのラベルを xguest_mozilla_home_t とすればいい。
If you wanted to add a download directory you could add a file context and label it xguest_mozilla_home_t

# semanage fcontext -a -t xguest_mozilla_home_t /home/xguest/Download(/.*)?
# restorecon -R -v ~/xguest
* allow_xguest_exec_content

This boolean determines whether the xguest account can execute files in its home directory or /tmp. This can prevent some forms of attack on users.

私が作成したxguest.spec と xguest-1.0.0-1.fc8.noarch.rpmのファイルは、以下のURLに置いてある。
I have created xguest.spec and xguest-1.0.0-1.fc8.noarch.rpm

out on

Which will set everything up for you. Try it out and tell me what you think.