Creating a Kiosk Account using SELinux

I have defined a policy to be used for the least privledged login terminal and X Windows users. 

Kiosk User account:

This tool allows you to run a secure machine that users can walk up to at the 
library, bank,  airport, coffee shop and just login and use the internet.  

We need to be able to use this account without a password, and assign it to the least privleded X account xguest_u

# useradd -Z xguest_u xguest

This creates the account with a disabled password.

We could remove the password from the account and allow everyone to login 
without a password, but we really want the account to only be accessable from 
the console when SELinux is in enforcing mode.From a security standpoint. we 
can only protect the account if SELinux is enabled and in enforcing mode.   
We needed a new pam module for this, Tomas Mraz created pam_selinux_permit.

xdm is setup to use pam_selinux_permit.  This package adds xguest to the 
/etc/security/sepermit.conf file.
echo xguest >> /etc/security/sepermit.conf

We still have one other problem.  Since one user after another can use this 
account, we want to prevent one user from looking at the account of a previous 
user or from leaving trojans that could attack the next user.  So we configure 
pam_namespace to mount the home directory, /tmp and /var/tmp as tmpfs file 
systems that will get destroyed on logout.

# echo -n \
'/tmp    tmpfs   tmpfs   ~xguest
/var/tmp        tmpfs   tmpfs   ~xguest
$HOME           tmpfs   tmpfs   ~xguest' \
 >> /etc/security/namespace.conf 

This says to generate three temporary filesystems mounted on  /tmp, /var/tmp 
and $HOME directory for only xguest any time he logs in, and destroys them when 
the user logs out.

If SELinux is in enforcing mode, you can log into this account just by clicking
on the "X guest user" in the login screen.  If you try to reach this accound 
by any means other then xdm you will not be able to login.  sshd, rshd, 
telnetd will all fail.

If you put the machine into permissive mode  or disable selinux, you  will no 
longer be able to login as this user.  This will not effect a currently logged 
in user however.  So be very carefull when disableing SELinux.  The logged in XGuest would still be controled by DAC, though.

You can also use Fast User Switching to switch to this user.  Just add the User
Switcher applet to your tool bar and select xguest.  You should switch to this
account and be automagically logged in.

There are four SELinux booleans that you can set for this account.
getsebool -a | grep xguest

    * xguest_connect_network

Allow xguest users to configure Network Manager and connect to apache ports.

    * xguest_mount_media

Allow xguest users to mount removable media.

    * xguest_use_bluetooth

Allow xguest to use bluetooth devices.

    * allow_xguest_exec_content

This boolean determines whether the xguest account can execute files in its home directory or /tmp.  This can prevent some forms of attack on users.

