Monthly Archives: January 2008

Using SELinux Kiosk Mode in Fedora 8

Fedora 8 now has support for Dan Walsh’s SELinux kiosk mode, or xguest, which he has previously described in some detail.

The good news is that it’s utterly simple to use:

  1. Upgrade to the very latest Fedora 8 — simply ensure you have run:

    # yum update

  2. Install the xguest package and necessary dependencies:

    # yum install xguest

  3. Ensure you’re running SELinux in enforcing mode:

    # getenforce
    Enforcing

  4. Log out from X, and you should see a new “X Guest User” user in the GDM welcome screen:

    GDM login screen with X Guest User

  5. Click on the X Guest User account, and you will be logged straight into a GNOME session.

The GNOME session will run as a very tightly locked down SELinux account, which can only be accessed via GDM. It is essentially authorized only to surf the web.

PAM namespace is utilized so that the session has private views of shared writable filesystem space (e.g. /tmp), while Sabayon is used to load a custom GNOME configuration.

Any local changes made by the user, such as writes to $home or their desktop settings will be lost after they log out.

Thomas Mraz’s PAM SELinux permit package ensures that the xguest account is only active in enforcing mode, to ensure the account cannot be used to attack the system if it is in permissive mode.

Further technical detail may be found in the package’s README file.

Where would you use this? Dan has found it useful for family members with various levels of computer skill, while I can imagine that xguest would also be quite handy for things like LUG events, conference booths, training, Linux demonstrations, information kiosks etc.

If you come up with any cool uses, or enhancements, please let us know.

Enjoy!

SELinux mitigates remote root vulnerability in OpenPegasus

According to Red Hat Security Advisory RHSA-2008-0002, a recently discovered stack overflow flaw in OpenPegasus is mitigated by standard SELinux targeted policy in RHEL4 and RHEL5:

… an unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003)

Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux.

The enhanced memory protection tests in RHEL5 contribute here to mitigation.

On a related note, Mark Cox has just published an updated grid of vulnerability and threat mitigation features in RHEL and Fedora. Fedora 8, being the most recent distro listed, has the greatest number of these features.

securiy feature grid

Btw, for those able to attend FUDCon in Raleigh over the weekend, there will be a few SELinux folk around to answer questions, listen to feedback etc.

Update:
Someone asked for more Fedora-specific information to compare with other distributions. Here’s a well-maintained page on Fedora Security Features.