1) Boot with selinux=0
2) Login with gdm to a desktop
4) Boot with selinux=0 and enforcing
5) gdm fails! You can't login!
1) Erase everything in /tmp
2) Restart gdm
Could this possibly be fixed with selinux-policy?
Sorry I don't know exactly what caused this failure.
Traditionally the file contexts have explicitely excluded relabelling anything
under /tmp. The reason for this is that if some highly classified data is in a
file in /tmp it would not be appropriate to relabel it to a default label (of
which incidentally there really isn't one for strict or MLS policies and even
for targeted there is no single label that works in all situations). So a
"fixfiles relabel" operation will offer to remove all files under /tmp
A default per-user /tmp would solve this.
Relabeling everything used to delete all the files in /tmp, which would fix the
problem and cause gdm to recreate the files on start. But this was removed
since it was considered to destructive.
+ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
to fixfiles on autorelabel