On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote:
On 01/03/2013 04:39 AM, Dominick Grift wrote:
> I am not quite sure but it would be interesting to see what happens in
> you label xvnc executab;e file type unconfined_exec_t
It would run as unconfined_t:
type_transition initrc_t unconfined_exec_t : process unconfined_t;
Not sure if the above would be the actual type transition, since systemd
runs in the init_t domain i believe.
I expect that this would also allow KDM to connect to Xvnc, but it
would
be less secure. Is there a reason that you think this is a better
option than xserver_exec_t?
Well other vnc servers also run the in the unconfined_t domain,
however , if i am not mistaken, the other vnc servers are privileged
(located in /usr/sbin/ instead of /usr/bin/) i suspect.
xvnc seems to be for unprivileged use since its in /usr/bin and then
unconfined_t stops making sense.
So i am not sure what the best approach in this case would be