The X server runs as xdm_xserver_t if it is started from a display
manager. It runs as user_xserver_t if it is started with startx.
Is the X server part of the user's session or not?
If it is, then it should always run as user_xserver_t, and the display
managers should be "fixed" to label the X server with the user's context
at login time.
It if isn't, then it should always run in the same domain, and
startx/xinit should be "fixed" to transition into this context.
From my perspective I would favor the latter option for now since it's
easier to write policy for. The user's individual windows can be
labeled with a per-user type, maintaining separation.
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
