On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote: > On 01/03/2013 04:39 AM, Dominick Grift wrote: > > I am not quite sure but it would be interesting to see what happens in > > you label xvnc executab;e file type unconfined_exec_t > > It would run as unconfined_t: > > type_transition initrc_t unconfined_exec_t : process unconfined_t; > Not sure if the above would be the actual type transition, since systemd runs in the init_t domain i believe. > I expect that this would also allow KDM to connect to Xvnc, but it would > be less secure. Is there a reason that you think this is a better > option than xserver_exec_t? > Well other vnc servers also run the in the unconfined_t domain, however , if i am not mistaken, the other vnc servers are privileged (located in /usr/sbin/ instead of /usr/bin/) i suspect. xvnc seems to be for unprivileged use since its in /usr/bin and then unconfined_t stops making sense. So i am not sure what the best approach in this case would be -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
