I just went through the process of setting up Xvnc with XDMCP on F18,
and I ran into an SELinux-related issue.
I have configured KDM to accept XDMCP queries from localhost, and I'm
starting Xvnc with the following systemd unit file:
/etc/systemd/system/xvnc@.service:
[Unit]
Description=VNC remote display %I
After=syslog.target
[Service]
Type=simple
User=nobody
ExecStart=/usr/bin/Xvnc -SecurityTypes None -query 127.0.0.1 %i
[Install]
WantedBy=multi-user.target
When I first did this, KDM was unable to talk to Xvnc:
/var/log/kdm.log:
/usr/bin/xrdb: Permission denied
/usr/bin/xrdb: Can't open display ':10'
kdmgreet: cannot connect to X server :10
/var/log/audit/audit.log:
type=AVC msg=audit(1357179264.974:426): avc: denied { connectto }
for pid=11481 comm="kdm_greet"
path=002F746D702F2E5831312D756E69782F583130
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
The problem was that Xvnc was running as initrc_t, because /usr/bin/Xvnc
was labeled as bin_t. Changing the label to xserver_exec_t makes the
process run as xserver_t, KDM is able to connect to the server, and
everything appears to be working.
Is there a reason I'm not seeing that the context of /usr/bin/Xvnc
should *not* be changed to xserver_exec_t? If not, I'll go ahead and
BZ this.
Thanks!
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
