Hello, I have found this problem and managed to fix it for myself. The problem is that systemd user instances, running under init_t type, are not allowed to make type transitions.
gnome-terminal is started from a systemd user instance. For increasing the log, it is usefult to add the "debug" parameter pam_selinux in /etc/pam.d/systemd-user . The diagnostic is in the auth.log 2018-01-02T15:31:33.228599+01:00 myhost systemd-logind[31422]: New session 15 of user ramon. 2018-01-02T15:31:33.230309+01:00 myhost systemd: pam_selinux(systemd-user:session): Open Session 2018-01-02T15:31:33.230770+01:00 myhost systemd: pam_selinux(systemd-user:session): Open Session 2018-01-02T15:31:33.234173+01:00 myhost systemd: pam_selinux(systemd-user:session): Username= ramongar SELinux User= user_u Level= s0-s0 2018-01-02T15:31:33.234771+01:00 myhost systemd: pam_selinux(systemd-user:session): Unable to get valid context for ramongar 2018-01-02T15:31:33.234896+01:00 myhost systemd: pam_selinux(systemd-user:session): conversation failed 2018-01-02T15:31:33.235001+01:00 myhost systemd: pam_unix(systemd-user:session): session opened for user ramongar by (uid=0) The key is "Unable to get valid context for ramongar" My fix was to create a policy module "inituser" -----------------file inituser.te---------------------------------------------------------------- policy_module(inituser, 1.0.0) require { type init_t; } ## <desc> ## <p> ## Allow systemd user instances as sysadm_r:sysadm_t ## </p> ## </desc> gen_tunable(inituser_sysadm_login, false) auth_login_pgm_domain(init_t) tunable_policy(`inituser_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to # display the tty. # some versions of sshd on the new SE Linux require setattr userdom_spec_domtrans_all_users(init_t) userdom_signal_all_users(init_t) ',` userdom_spec_domtrans_unpriv_users(init_t) userdom_signal_unpriv_users(init_t) ') ------------------------------------------------------------------------------------------------------ place this file inside the policy reference source directory, create empty inituser.fc and inituser.if, add to modules.conf, build policies and install. Perhaps there is some redundancy. semod -i inituser.pp Now in a gnome-terminal the security context is correct: > id -Z user_u:user_r:user_t:s0 Hope this helps. _______________________________________________ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel