I turned on Enforcing mode and tried to login to Xfce through slim and it failed. after some stracing i found that /usr/bin/xauth was failing (it is supposed to read in the magic cookie from stdin but gets nothing). there were no entries in avc.log or audit.log. i had to disable dontaudits to see the xauth denials. to make it work I had to add the following rules, I am not sure if they are all required since audit2allow is overeager. I will test more later to find the minimum needed. allow xauth_t xdm_t:process sigchld; allow xauth_t xserver_log_t:file append; allow xauth_t default_t:dir search; allow xauth_t xdm_t:fd use; allow xauth_t xdm_t:fifo_file { read getattr }; Reproducible: Always Steps to Reproduce: 1. install slim and xfce 2. make SELinux Enforce 3. try and login through slim Actual Results: login fails and returns to login screen Expected Results: login should show desktop
only these are required to make it work: allow xauth_t xdm_t:fd use; allow xauth_t xdm_t:fifo_file { read getattr }; this one shows up in the logs but it appears to work anyway even without this rule: allow xauth_t xdm_t:process sigchld; the other rules are not needed to login.
Can you check the context you're in after logon? I would expect xauth_t to act on the user domains (user_t, staff_t, sysadm_t or even unconfined_t) and not the XDM domain (xdm_t). Did you update the PAM configuration file(s) for slim (or whatever PAM service it uses)? See the end of http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2
I can't do much without additional feedback. Don't hesitate to reopen the moment you can!
