The SELinux policies are stored in *.pp files. With the 2.4 userspace (up to 2.4_rc6 for now) these files are then converted into CIL files before they are loaded. A recently discovered issue shows that the interpretation of the *.pp files is lacking some important transformations. For instance, a role type assignment (like "role staff_r types xauth_t") is not transformed into a CIL role type assignment (like "(roletype staff_r xauth_t)"), making domain transitions become invalid (invalid context). This also results in code running in the parent (userdomain) which is most likely an incorrect result. Reproducible: Always
A patch for this has been posted. It seems to fix the issues on my machine. http://marc.info/?l=selinux&m=141641949310942&w=2
in the tree, sys-apps/policycoreutils-2.4_rc6-r1
2.4 userland is stable now