Context for Xvnc?
Dominick Grift
dominick.grift at gmail.com
Thu Jan 3 18:55:01 UTC 2013
On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote:
> On 01/03/2013 04:39 AM, Dominick Grift wrote:
> > I am not quite sure but it would be interesting to see what happens in
> > you label xvnc executab;e file type unconfined_exec_t
>
> It would run as unconfined_t:
>
> type_transition initrc_t unconfined_exec_t : process unconfined_t;
>
Not sure if the above would be the actual type transition, since systemd
runs in the init_t domain i believe.
> I expect that this would also allow KDM to connect to Xvnc, but it would
> be less secure. Is there a reason that you think this is a better
> option than xserver_exec_t?
>
Well other vnc servers also run the in the unconfined_t domain,
however , if i am not mistaken, the other vnc servers are privileged
(located in /usr/sbin/ instead of /usr/bin/) i suspect.
xvnc seems to be for unprivileged use since its in /usr/bin and then
unconfined_t stops making sense.
So i am not sure what the best approach in this case would be
More information about the selinux
mailing list