On 01/03/2013 12:55 PM, Dominick Grift wrote: > On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote: >> On 01/03/2013 04:39 AM, Dominick Grift wrote: >>> I am not quite sure but it would be interesting to see what happens in >>> you label xvnc executab;e file type unconfined_exec_t >> >> It would run as unconfined_t: >> >> type_transition initrc_t unconfined_exec_t : process unconfined_t; >> > > Not sure if the above would be the actual type transition, since systemd > runs in the init_t domain i believe. Oops. It would be this, then: type_transition init_t unconfined_exec_t : process unconfined_t; > So i am not sure what the best approach in this case would be Generally, the best approach is to run the process in the most restrictive domain that allows it to work. xserver_t is an obvious candidate for Xvnc, because it *is* an X server. Do you know of some feature of Xvnc that won't work if it is running in the xserver_t domain? -- ======================================================================== Ian Pilcher arequipeno@xxxxxxxxx Sometimes there's nothing left to do but crash and burn...or die trying. ======================================================================== -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
