So. I've got vanilla FC2 with SELinux loaded and the standard policy sources loaded on my laptop. For various reasons (low memory and a general dislike for all things GNOME; primarily), I'm trying to make good old xdm work and start boring old twm. This requires a little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab. No big deal here. As packaged, the policy sets up xdm running as system_u:system_r:xdm_t. This starts a copy of X which is transitioned into system_u:system_r:xdm_xserver_t. Then there's a display ":0" sitting around on a third pid running as system_u:system_r:xdm_t. Fine. Logging in as my user (which results in a nice clean emf:user_r:user_t on the console) launches a twm as system_u:system_r:xdm_t, and then when I attempt to run an Xterm; i get the following avc denies: avc: denied { read write } for pid=3793 exe=/usr/bin/xterm name=ptmx dev=hda2 ino=134859 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:ptmx_t tclass=chr_file avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir and xterm promptly exits since it can't get a pty, and everything is still running as system_r:xdm_t; the real issue here. /etc/security/default_contexts does have an entry for: system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t I even tried changing that to read: system_r:xdm_t user_r:user_t At this point, I started flailing around a little bit and created an Xwm.{te|fc} pair: type Xwm_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(xdm_t,Xwm_exec_t,user_t) /usr/X11R6/bin/twm system_u:object_r:Xwm_exec_t reloaded the policy, and relabelled twm. Alles gut, ya? Nein! Now, when xdm->Xsession fires off twm, i get this: security_compute_sid: invalid context system_u:system_r:user_t for scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:Xwm_exec_t tclass=process and twm exits. Clearly, that wasn't the answer. So..... Questions are: 1) why doesn't default_contexts appear to have any influence upon xdm? 1a) is there a way to force it? 2) what am I supposed to do to get my window manager and its children into user_r:user_t ? Thanks in advance... -- Erik Fichtner; Unix Ronin