Context for Xvnc?
Miroslav Grepl
mgrepl at redhat.com
Wed Jan 16 14:40:41 UTC 2013
On 01/03/2013 08:36 PM, Dominick Grift wrote:
> On Thu, 2013-01-03 at 13:22 -0600, Ian Pilcher wrote:
>> On 01/03/2013 12:55 PM, Dominick Grift wrote:
>>> On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote:
>>>> On 01/03/2013 04:39 AM, Dominick Grift wrote:
>>>>> I am not quite sure but it would be interesting to see what happens in
>>>>> you label xvnc executab;e file type unconfined_exec_t
>>>> It would run as unconfined_t:
>>>>
>>>> type_transition initrc_t unconfined_exec_t : process unconfined_t;
>>>>
>>> Not sure if the above would be the actual type transition, since systemd
>>> runs in the init_t domain i believe.
>> Oops. It would be this, then:
>>
>> type_transition init_t unconfined_exec_t : process unconfined_t;
>>
>>> So i am not sure what the best approach in this case would be
>> Generally, the best approach is to run the process in the most
>> restrictive domain that allows it to work. xserver_t is an obvious
>> candidate for Xvnc, because it *is* an X server.
>>
>> Do you know of some feature of Xvnc that won't work if it is running in
>> the xserver_t domain?
>>
> Nope, i do not
>
> I guess it is a matter of testing but i agree that in general the most
> restrictive domain should be preferred.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I agree with Dominick with unconfined_exec_t as we have for
/usr/sbin/xrdp
/usr/sbin/xrdp-sesman
/usr/bin/vncserver
More information about the selinux
mailing list