On Thu, 2013-01-03 at 13:22 -0600, Ian Pilcher wrote:
> On 01/03/2013 12:55 PM, Dominick Grift wrote:
>> On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote:
>>> On 01/03/2013 04:39 AM, Dominick Grift wrote:
>>>> I am not quite sure but it would be interesting to see what happens in
>>>> you label xvnc executab;e file type unconfined_exec_t
>>> It would run as unconfined_t:
>>>
>>> type_transition initrc_t unconfined_exec_t : process unconfined_t;
>>>
>> Not sure if the above would be the actual type transition, since systemd
>> runs in the init_t domain i believe.
> Oops. It would be this, then:
>
> type_transition init_t unconfined_exec_t : process unconfined_t;
>
>> So i am not sure what the best approach in this case would be
> Generally, the best approach is to run the process in the most
> restrictive domain that allows it to work. xserver_t is an obvious
> candidate for Xvnc, because it *is* an X server.
>
> Do you know of some feature of Xvnc that won't work if it is running in
> the xserver_t domain?
>
Nope, i do not
I guess it is a matter of testing but i agree that in general the most
restrictive domain should be preferred.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux I agree with Dominick with
unconfined_exec_t as we have for
/usr/sbin/xrdp
/usr/sbin/xrdp-sesman
/usr/bin/vncserver