Context for Xvnc?
Dominick Grift
dominick.grift at gmail.com
Thu Jan 3 10:39:55 UTC 2013
On Wed, 2013-01-02 at 20:54 -0600, Ian Pilcher wrote:
> I just went through the process of setting up Xvnc with XDMCP on F18,
> and I ran into an SELinux-related issue.
>
> I have configured KDM to accept XDMCP queries from localhost, and I'm
> starting Xvnc with the following systemd unit file:
>
> /etc/systemd/system/xvnc at .service:
>
> [Unit]
> Description=VNC remote display %I
> After=syslog.target
>
> [Service]
> Type=simple
> User=nobody
> ExecStart=/usr/bin/Xvnc -SecurityTypes None -query 127.0.0.1 %i
>
> [Install]
> WantedBy=multi-user.target
>
> When I first did this, KDM was unable to talk to Xvnc:
>
> /var/log/kdm.log:
>
> /usr/bin/xrdb: Permission denied
> /usr/bin/xrdb: Can't open display ':10'
> kdmgreet: cannot connect to X server :10
>
> /var/log/audit/audit.log:
>
> type=AVC msg=audit(1357179264.974:426): avc: denied { connectto }
> for pid=11481 comm="kdm_greet"
> path=002F746D702F2E5831312D756E69782F583130
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> The problem was that Xvnc was running as initrc_t, because /usr/bin/Xvnc
> was labeled as bin_t. Changing the label to xserver_exec_t makes the
> process run as xserver_t, KDM is able to connect to the server, and
> everything appears to be working.
>
> Is there a reason I'm not seeing that the context of /usr/bin/Xvnc
> should *not* be changed to xserver_exec_t? If not, I'll go ahead and
> BZ this.
>
> Thanks!
>
I am not quite sure but it would be interesting to see what happens in
you label xvnc executab;e file type unconfined_exec_t
More information about the selinux
mailing list