How to create a secure account (an isolated sandbox) on a Fedora machine, that could be useful for visitors, demo presentations, etc.:
Instructions how to define a Kiosk User account, based on xguest.
The idea is to tightly secure a machine: just login (locally, no password) and use the internet via Firefox. Any local changes made by the user, such as writes to $home or their desktop settings will be lost after they log out.
Requires SELinux in enforcing mode.
BTW, I am still not using SELinux on my desktop (more precisely, it is running in permissive mode, i.e. violations are logged in, but operation can continue). I believe it should be ON at least on the LAMP server in DMZ. But I had always applications that conflict with SE policies - and I've never mastered this topic (see Wikipedia/SELinux: "For me, given my threat model and how much my time is worth, life is too short for SELinux.” — Theodore Ts’o).
On the other hand, Dan Walsh blogs seem to shed some light into obscurity, with many configuration examples and troubleshooting. His blog "New Features in Fedora 8 - policy for my wife ...", explains motivation for a secure account in plain English - nice and easy reading for upper management :-)
Looks like I am running out of excuses and I have to set SELinux properly in upcoming upgrade of my desktop to Fedora 8.
Subscribe to:
Post Comments (Atom)
1 comment:
Post a Comment