selinux-policy-3.3.1-16.fc9.noarch gdm-2.21.9-3.fc9.i386 1) Boot with selinux=0 2) Login with gdm to a desktop 3) Reboot 4) Boot with selinux=0 and enforcing 5) gdm fails! You can't login! Workaround 1) Erase everything in /tmp 2) Restart gdm Could this possibly be fixed with selinux-policy? Sorry I don't know exactly what caused this failure.
Traditionally the file contexts have explicitely excluded relabelling anything under /tmp. The reason for this is that if some highly classified data is in a file in /tmp it would not be appropriate to relabel it to a default label (of which incidentally there really isn't one for strict or MLS policies and even for targeted there is no single label that works in all situations). So a "fixfiles relabel" operation will offer to remove all files under /tmp
A default per-user /tmp would solve this.
Relabeling everything used to delete all the files in /tmp, which would fix the problem and cause gdm to recreate the files on start. But this was removed since it was considered to destructive.
Added + rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* to fixfiles on autorelabel policycoreutils-2.0.47-2