Hello! > > Firstly this is not a grave bug. Most of the benefits of SE Linux are on > servers so even if it didn't work for a graphical login that wouldn't be a > grave bug.
I completely disagree here! A large part of Debian installations is used as desktop [1]. Just there when using EMails and Web-Browsers SELinux is of great help. > > allow kernel_t systemd_unit_file_t:service { status start }; > > The above line suggests that your init is running in the wrong domain. Check > your audit.log and see what was running as kernel_t, probably running > restorecon on that will fix it. Checking this with your latest selinux-policy-default package: 2:2.20140421-10. Looks that this is fixed now. The list is now much smaller (appended). > > #!!!! This avc can be allowed using one of the these booleans: > # allow_execstack, allow_execmem > allow unconfined_t self:process execmem; > > Some desktop environments (like KDE) require execmem. Setting allow_execmem > will fix that. See setsebool(8). I'm using Gnome. After # setsebool allow_execstack true # setsebool allow_execmem true I'm now able to log in. Roughly checked some applications: iceweasel, libre-office, gimp, ... No problems! Looks that the new version of selinux-policy-default fixes a lot of things! > > Finally I can't do anything more about this without even knowing what desktop > environment is having a problem. I need to know what XDM program and what > desktop environment are being used and if it works with a different XDM or > different desktop environment (twm is good for testing). > I'm using the default :-) Minimal VM installation and then: # apt-get install task-desktop Do you need more information? List of installed packages? Command to set up the VM? Kind regards Andre [1] https://qa.debian.org/popcon.php?package=tasksel === # audit2allow --boot #============= NetworkManager_t ============== allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read search }; allow NetworkManager_t systemd_logind_t:dbus send_msg; allow NetworkManager_t systemd_logind_var_run_t:dir { read search }; #============= alsa_t ============== #!!!! The source type 'alsa_t' can write to a 'dir' of the following types: # pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, var_lock_t, etc_t, tmpfs_t, user_home_dir_t, root_t, tmp_t, user_tmp_t, pulseaudio_tmpfsfile, alsa_etc_rw_t, user_home_t allow alsa_t var_run_t:dir write; #============= rtkit_daemon_t ============== allow rtkit_daemon_t xdm_t:process setsched; #============= systemd_logind_t ============== allow systemd_logind_t NetworkManager_t:dbus send_msg; #!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types: # var_auth_t, cgroup_t, user_tmp_t, udev_rules_t, init_var_run_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t allow systemd_logind_t tmpfs_t:dir write; allow systemd_logind_t user_tmpfs_t:dir read; allow systemd_logind_t user_tmpfs_t:file getattr; allow systemd_logind_t xdm_tmpfs_t:dir read; allow systemd_logind_t xdm_tmpfs_t:file getattr; #============= udev_t ============== allow udev_t self:netlink_socket create; #============= unconfined_t ============== #!!!! This avc can be allowed using one of the these booleans: # allow_execstack, allow_execmem allow unconfined_t self:process execmem; #============= xdm_t ============== allow xdm_t init_t:system status;