Context for Xvnc?
Ian Pilcher
arequipeno at gmail.com
Thu Jan 3 19:22:11 UTC 2013
On 01/03/2013 12:55 PM, Dominick Grift wrote:
> On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote:
>> On 01/03/2013 04:39 AM, Dominick Grift wrote:
>>> I am not quite sure but it would be interesting to see what happens in
>>> you label xvnc executab;e file type unconfined_exec_t
>>
>> It would run as unconfined_t:
>>
>> type_transition initrc_t unconfined_exec_t : process unconfined_t;
>>
>
> Not sure if the above would be the actual type transition, since systemd
> runs in the init_t domain i believe.
Oops. It would be this, then:
type_transition init_t unconfined_exec_t : process unconfined_t;
> So i am not sure what the best approach in this case would be
Generally, the best approach is to run the process in the most
restrictive domain that allows it to work. xserver_t is an obvious
candidate for Xvnc, because it *is* an X server.
Do you know of some feature of Xvnc that won't work if it is running in
the xserver_t domain?
--
========================================================================
Ian Pilcher arequipeno at gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
More information about the selinux
mailing list