On Thursday, 7 September 2017 8:06:12 PM AEST Harlan Lieberman-Berg wrote: > Hm. Looking more, you may be right. What's odd is that some binaries > that are (presumably) being launched by Gnome are being correctly > given the right context; for example, gdm and X are running as > system_u:system_r:xdm_t:s0-s0:c0.c1023. evolution-calendar, though, > is system_u:system_r:init_t:s0. And yet other things that are > probably also part of my user session are > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.
gdm has the correct domain. Maybe pam is not configured correctly. Below is /etc/pam.d/sddm from one of my systems, try making your gdm pam configuration more like this and see if things work correctly. #%PAM-1.0 # Block login if they are globally disabled auth requisite pam_nologin.so auth required pam_succeed_if.so user != root quiet_success # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth # gnome_keyring breaks QProcess -auth optional pam_gnome_keyring.so -auth optional pam_kwallet5.so @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Create a new session keyring. session optional pam_keyinit.so force revoke session required pam_limits.so session required pam_loginuid.so @include common-session # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so auto_start @include common-password # From the pam_env man page # Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack. # Load environment from /etc/environment session required pam_env.so # Load environment from /etc/default/locale session required pam_env.so envfile=/etc/default/locale -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel