Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 12. Restricting the desktop session

You can restrict and control various functionalities of the GNOME desktop environment. You can enforce specific configurations and restrictions to maintain system integrity and prevent unauthorized access.

12.1. Disabling user logout and user switching

Disabling user logout and user switching can improve security, prevent user errors, and enforce a specific workflow. This can mitigate unauthorized access to sensitive data and disruptions to the workflow caused by users accidentally logging out or switching to another user.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-logout keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]
# Disable user logut
disable-log-out=true

# Disable user switching
disable-user-switching=true
    Copy to Clipboard

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock user logout
/org/gnome/desktop/lockdown/disable-log-out

# Lock user switching
/org/gnome/desktop/lockdown/disable-user-switching
    Copy to Clipboard

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard

12.2. Disabling printing

Disabling printing can prevent unauthorized access to sensitive documents and safeguard confidential information from potential breaches.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-printing keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]
# Disable printing
disable-printing=true
    Copy to Clipboard

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock printing
/org/gnome/desktop/lockdown/disable-printing
    Copy to Clipboard

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard

12.3. Disabling file saving

Preventing files from being saved on the system can help protect sensitive data from unauthorized access and protect against potential data leaks.

Prerequisites

  • Administrative access

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-filesaving keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]
# Disable saving files on disk
disable-save-to-disk=true
    Copy to Clipboard

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock file saving
/org/gnome/desktop/lockdown/disable-save-to-disk
    Copy to Clipboard

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard

12.4. Disabling the shell prompt

Disabling the shell prompt can simplify user interactions with the system, prevent inexperienced users from executing potentially harmful commands that might cause system instability or data loss, and reduce the risk of unauthorized changes to system settings or configurations.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-lockdown keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]

# Disable command prompt
disable-command-line=true
    Copy to Clipboard

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock command prompt
/org/gnome/desktop/lockdown/disable-command-line
    Copy to Clipboard

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard
  4. For this settings to take effect, users needs to log out and log back in.

12.5. Disabling repartitioning

You can override the default system settings that control disk management.

Important

Avoid modifying the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file directly. Any changes you make will be replaced during the next package update.

Prerequisites

  • Administrative access.

Procedure

  1. Copy the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file under the /etc/share/polkit-1/actions/ directory: 

    # cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy
    Copy to Clipboard

  2. In the /etc/polkit-1/actions/org.freedesktop.udisks2.policy file, delete any actions that you do not need and add the following lines: 

    <action id="org.freedesktop.udisks2.modify-device">
  <message>Authentication is required to modify the disks settings</message>
     <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>yes</allow_active>
      </defaults>
 </action>
    Copy to Clipboard

    If you want to restrict access only to the root user, replace <allow_any>no</allow_any> with <allow_any>auth_admin</allow_any>.

12.6. Restricting the session to a single application

You can start the GNOME session in single-application mode, also known as kiosk mode. In this session, GNOME displays only a full-screen window of the application that you have selected.

12.6.1. Single-application mode

Single-application mode is a modified GNOME session that reconfigures the Mutter window manager into an interactive kiosk. This session locks down certain behavior to make the standard desktop more restrictive. The user can interact only with a single application selected by the administrator.

You can set up single-application mode for several use cases, such as:

  • In the communication, entertainment, or education fields
  • As a self-serve machine
  • As an event manager
  • As a registration point

The GNOME Kiosk utility provides the single-application mode configuration and sessions.

The following single-application sessions are available:

Search Appliance Session
This session always starts the Mozilla Firefox web browser at the www.google.com website.
Kiosk Script Session
This session starts an arbitrary application that you specify in a shell script.

12.6.2. Enabling search appliance mode

You can restrict the GNOME session to the Google search engine in a web browser by installing and enabling the Search Appliance Session.

Prerequisites

  • Administrative access.

Procedure

  1. Install the GNOME Kiosk packages: 

    # dnf install gnome-kiosk gnome-kiosk-search-appliance
    Copy to Clipboard
  2. At the GNOME login screen, select Search Appliance Session from the gear button menu and log in as the single-application user.
  3. The Mozilla Firefox browser opens as a full-screen window in its kiosk mode. It shows the Google search page.

12.6.3. Enabling single-application mode

You can install and enable the Kiosk Script Session to restrict the GNOME session to a selected single application. This configuration provides a secure and isolated environment for the target application.

Procedure

  1. Install the GNOME Kiosk packages: 

    # dnf install gnome-kiosk gnome-kiosk-script-session
    Copy to Clipboard
  2. At the GNOME login screen, select Kiosk Script Session from the gear button menu and log in as the single-application user.

  3. The gedit text editor opens as a full-screen window. It shows the shell script that configures which application runs in your single-application session.

    Edit the shell script and enter the application that you want to start in the single-application session.

    For example, to start the Mozilla Firefox browser, enter the following content: 

    #!/usr/bin/sh

firefox --kiosk https://example.org
    Copy to Clipboard
  4. Save the script file.

  5. Close the gedit window.

    The session terminates and restarts with your selected application.

  6. The next time you log in to the single-application session, your selected application runs.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat