On Thu, 2013-01-03 at 13:22 -0600, Ian Pilcher wrote: > On 01/03/2013 12:55 PM, Dominick Grift wrote: > > On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote: > >> On 01/03/2013 04:39 AM, Dominick Grift wrote: > >>> I am not quite sure but it would be interesting to see what happens in > >>> you label xvnc executab;e file type unconfined_exec_t > >> > >> It would run as unconfined_t: > >> > >> type_transition initrc_t unconfined_exec_t : process unconfined_t; > >> > > > > Not sure if the above would be the actual type transition, since systemd > > runs in the init_t domain i believe. > > Oops. It would be this, then: > > type_transition init_t unconfined_exec_t : process unconfined_t; > > > So i am not sure what the best approach in this case would be > > Generally, the best approach is to run the process in the most > restrictive domain that allows it to work. xserver_t is an obvious > candidate for Xvnc, because it *is* an X server. > > Do you know of some feature of Xvnc that won't work if it is running in > the xserver_t domain? > Nope, i do not I guess it is a matter of testing but i agree that in general the most restrictive domain should be preferred. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
