Booting in strict/enforcing, 'Fedora' in the 'Welcome to Fedora Core' message is no longer red, the subsequent 6 or so messages are formatted differently (i.e., the '[OK]' is not nicely indented, and it is not in green). Also, rhgb doesn't start. (Yeah, I know, this is not a bug, its a feature ;) ) Anyway, the following patch puts the red and green back in the boot. The change mimics the privileges given for console_device_t:chr_file --- /etc/selinux/strict/src-1.17.16-3/policy/domains/program/consoletype.te 2004-09-16 07:14:24.000000000 -0700 +++ ./consoletype.te 2004-09-16 11:37:14.000000000 -0700 @@ -52,5 +52,5 @@ allow consoletype_t pam_var_run_t:file { getattr read }; ') ifdef(`distro_redhat', ` -dontaudit consoletype_t tmpfs_t:chr_file { read write }; +allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write }; ') The follow makes rhgb work in strict/enforcing. The problem is that it wants to mount /etc/rhgb, but it is currently labeled 'etc_t'. Labeling /etc/rhgb as 'root_t' makes it work. Not sure if this is really 'proper'. I'd be more comfortable with it being labeled something like 'etc_rhgb_t' or some such, or moving the mount point.... --- /etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc 2004-09-16 07:14:24.000000000 -0700 +++ ./rhgb.fc 2004-09-16 12:21:12.424588200 -0700 @@ -1,2 +1,3 @@ /usr/bin/rhgb -- system_u:object_r:rhgb_exec_t #/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t +/etc/rhgb -d system_u:object_r:root_t