Running Rawhide, targeted enforcing. Booting into gdm/gnome, entering 'Ctl-Alt-F1' and logging in as the same user generates the following audit messages: type=USER_AUTH msg=audit(1199979217.226:28): user pid=2602 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=tbl exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' type=USER_LOGIN msg=audit(1199979217.266:29): user pid=2602 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=500: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' type=USER_AUTH msg=audit(1199979226.383:30): user pid=2602 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=tbl exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' type=USER_LOGIN msg=audit(1199979226.384:31): user pid=2602 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=500: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' type=USER_AUTH msg=audit(1199979234.098:32): user pid=2602 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=tbl exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_ACCT msg=audit(1199979234.106:33): user pid=2602 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=tbl exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=LOGIN msg=audit(1199979234.108:34): login pid=2602 uid=0 old auid=4294967295 new auid=500 type=USER_ROLE_CHANGE msg=audit(1199979234.130:35): user pid=2602 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=AVC msg=audit(1199979234.132:36): avc: denied { link } for pid=2602 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1199979234.132:36): arch=40000003 syscall=288 success=no exit=-13 a0=8 a1=fffffffc a2=fffffffd a3=1f4 items=0 ppid=1 pid=2602 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1199979234.142:37): user pid=2602 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=tbl exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=CRED_ACQ msg=audit(1199979234.142:38): user pid=2602 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=tbl exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_LOGIN msg=audit(1199979234.145:39): user pid=2602 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=500: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' Putting system into permissive mode and retrying appears to generate no new AVCs. Does #============= local_login_t ============== allow local_login_t xdm_t:key link; make sense? tom

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeLgy0ACgkQrlYvE4MpobM2mACeKqtd04BdHEaD8276ZBJAfBYg nkYAn3pYgd42m198kVQdvhzUs7WUpuh1 =ECHH -----END PGP SIGNATURE-----