Context for Xvnc?
Miroslav Grepl
mgrepl at redhat.com
Fri Jan 18 21:14:35 UTC 2013
On 01/16/2013 03:40 PM, Miroslav Grepl wrote:
> On 01/03/2013 08:36 PM, Dominick Grift wrote:
>> On Thu, 2013-01-03 at 13:22 -0600, Ian Pilcher wrote:
>>> On 01/03/2013 12:55 PM, Dominick Grift wrote:
>>>> On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote:
>>>>> On 01/03/2013 04:39 AM, Dominick Grift wrote:
>>>>>> I am not quite sure but it would be interesting to see what
>>>>>> happens in
>>>>>> you label xvnc executab;e file type unconfined_exec_t
>>>>> It would run as unconfined_t:
>>>>>
>>>>> type_transition initrc_t unconfined_exec_t : process unconfined_t;
>>>>>
>>>> Not sure if the above would be the actual type transition, since
>>>> systemd
>>>> runs in the init_t domain i believe.
>>> Oops. It would be this, then:
>>>
>>> type_transition init_t unconfined_exec_t : process unconfined_t;
>>>
>>>> So i am not sure what the best approach in this case would be
>>> Generally, the best approach is to run the process in the most
>>> restrictive domain that allows it to work. xserver_t is an obvious
>>> candidate for Xvnc, because it *is* an X server.
>>>
>>> Do you know of some feature of Xvnc that won't work if it is running in
>>> the xserver_t domain?
>>>
>> Nope, i do not
>>
>> I guess it is a matter of testing but i agree that in general the most
>> restrictive domain should be preferred.
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> I agree with Dominick with unconfined_exec_t as we have for
>
> /usr/sbin/xrdp
> /usr/sbin/xrdp-sesman
> /usr/bin/vncserver
>
Actually we added the following labeling
/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list