[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    What domain should the X server run in
From:       Eamon Walsh <ewalsh () tycho ! nsa ! gov>
Date:       2007-10-25 17:27:45
Message-ID: 4720D211.1000507 () tycho ! nsa ! gov
[Download RAW message or body]

The X server runs as xdm_xserver_t if it is started from a display
manager.  It runs as user_xserver_t if it is started with startx.

Is the X server part of the user's session or not?

If it is, then it should always run as user_xserver_t, and the display
managers should be "fixed" to label the X server with the user's context
at login time.

It if isn't, then it should always run in the same domain, and
startx/xinit should be "fixed" to transition into this context.

 From my perspective I would favor the latter option for now since it's 
easier to write policy for.  The user's individual windows can be 
labeled with a per-user type, maintaining separation.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]