On 01/03/2013 08:36 PM, Dominick Grift wrote:
On Thu, 2013-01-03 at 13:22 -0600, Ian Pilcher wrote:
On 01/03/2013 12:55 PM, Dominick Grift wrote:
On Thu, 2013-01-03 at 09:07 -0600, Ian Pilcher wrote:
On 01/03/2013 04:39 AM, Dominick Grift wrote:
I am not quite sure but it would be interesting to see what happens in
you label xvnc executab;e file type unconfined_exec_t
It would run as unconfined_t:
type_transition initrc_t unconfined_exec_t : process unconfined_t;
Not sure if the above would be the actual type transition, since systemd
runs in the init_t domain i believe.
Oops. It would be this, then:
type_transition init_t unconfined_exec_t : process unconfined_t;
So i am not sure what the best approach in this case would be
Generally, the best approach is to run the process in the most
restrictive domain that allows it to work. xserver_t is an obvious
candidate for Xvnc, because it *is* an X server.
Do you know of some feature of Xvnc that won't work if it is running in
the xserver_t domain?
Nope, i do not
I guess it is a matter of testing but i agree that in general the most
restrictive domain should be preferred.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
I agree with Dominick with unconfined_exec_t as we have for
/usr/sbin/xrdp
/usr/sbin/xrdp-sesman
/usr/bin/vncserver
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
