*** Bug 119658 has been marked as a duplicate of this bug. ***

Not sure what caused this, but todays policy seems to work
1.9.2-1

Not sure what caused this, but todays policy seems to work
1.9.2-1

Doesn't work here (policy-1.9.2-1 and policycoreutils-1.9-19) - I
cannot login via gdm at all (neither as root nor normal user: home
directory doesn not exist) unless I turn enforcing off.
I relabeled the filesystem and rebooted after upgrading.

I also updated.  I also have the problem back.

Here are the messages I get when I try to login (from /var/log/messages):

Apr  2 04:18:03 hummer gdm(pam_unix)[12970]: session opened for user
czarcing by (uid=0)
Apr  2 04:18:03 hummer kernel: audit(1080897483.768:0): avc:  denied 
{ getattr } for  pid=12970 exe=/usr/bin/gdm-binary path=/home/czarcing
dev=hda10 ino=1209338 scontext=system_u:system_r:xdm_t
tcontext=czarcing:object_r:staff_home_dir_t tclass=dir
Apr  2 04:18:03 hummer gdm[12970]: gdm_slave_session_start: Home
directory for czarcing: '/home/czarcing' does not exist!
Apr  2 04:18:09 hummer gdm(pam_unix)[12970]: session closed for user
czarcing

add

allow xdm_t $1_home_dir_t:dir { getattr };

to 

/etc/security/selinux/src/policy/macros/base_user_macros.te
under the xdm section,

then type 

make -C /etc/security/selinux/src/policy load

This is fixed in policy-1.9.2-5

*** Bug 119764 has been marked as a duplicate of this bug. ***

OK, I am still getting something wrong.  I added the "allow" line to
the endof the file and get:

/usr/bin/checkpolicy  -o /etc/security/selinux/policy.16
/etc/security/selinux/src/policy.conf
/usr/bin/checkpolicy:  loading policy configuration from
/etc/security/selinux/src/policy.conf
macros/base_user_macros.te:332:WARNING 'unrecognized character' at
token '$' on line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
  
macros/base_user_macros.te:332:ERROR 'syntax error' at token '1' on
line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
  
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration

You put it in the wrong place. It needs to be with the other xdm stuff.  
Basically this is within a macro so if you look for xdm_t in the file
and put this line after it the $1 will get translated.

Dan

Success!

I believe I really need to read those papers on SELinux policy so that
I can understand how to fix and/or understand policy related problems
better.

Suggestion ... when suggesting adding something to a file, put your
suggestion into more or less "patch" format so that we (who do not
understand the fine points) can get it right the first time ... you
said add a line so I added it to the end of the file.

I will do that.  I am also considering putting updated policy for
people to try on my people page, so you don't have to wait twenty four
hours.

Dan

Install from CD on 3-31 was okay. I got this same problem after doing
a yum update on 4-1 (about 150 packages). I believe a policy update
was in the mix.

I could only get into the failsafe session as root/staff_r. Had to
newrole -r sysadm_r to run as real root. setfiles /home didn't fix the
problem. Neither did fixfiles relabel (and reboot).

Looking in /etc/security/selinux I found a policy.15 file and a
policy.16 file. The policy.16 file was date stamped as the original
install from CD. The policy.15 file was date stamped March 24, which I
assume was time of packaging. I moved the policy.16 file to /root
leaving only file_contexts and policy.15 in the selinux directory.

When I went to logout gdm got caught in a loop trying to restart over
and over. A three-finger salute took the system down via init6.

After the reboot, the system is AOK. Login with home directory and
enforcement is on.

No scientific analysis was done here. I just "tried something" and it
worked.

Hope this helps.
Phil

I'm still having problems here.  I loaded the updated policy and
rebooted.  Things initially looked fine, but after logging in via gdm
as my normal user, I discovered I couldn't start many processes.  I
logged out, and X11 won't start any more.  I got stuck in the
start-fail-retry loop with X until it gave up.

I ran another fixfiles and rebooted, but no changes.  Still throwing
multiple denied messages like so:

Apr  2 21:29:52 pontifex kernel: audit(1080966592.925:0): avc:  denied
 { read append } for  pid=1668 exe=/usr/bin/gdm-binary
name=.Xauthority dev=hde4 ino=357693 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file

and

Apr  2 21:29:52 pontifex kernel: audit(1080966592.930:0): avc:  denied
 { write
} for  pid=1668 exe=/usr/bin/gdm-binary name=sfarrow dev=hde4
ino=32513 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr  2 21:29:52 pontifex gdm[1668]: run_session_child: Could not open
~/.xsession-errors

Probably related, gnome failsafe login session fails to start a
terminal.  A full login works, but unable to start many common apps,
like Mozilla.

Policy and kernel version are:
policy-1.9.2-5
kernel-2.6.4-1.300

- Scott

Is the issue in comment #14 resolved?