This is causing the welcome program to run as unconfined_t and prevents confined users from logging in.
Removing pam_selinux from the stack (as well as pam_namespace) changes the entire xdm suite to run as xdm_t as it should and allows me to login as staff_t not, unconfined_t.
If you want to use pam at all, you probably want a very limited stack.
i'll push a fix now that culls the pam list a bit in the service file, to prevent the greeter from running unconfined.
There's another problem where the pam conversation is run in the main slave process instead of a welcome specific subprocess, so the subsequent worker processes are run as if they're part of the welcome session. I'll address that when I get time to work on this upstream.
gdm-3.1.2-5.fc16 has been submitted as an update for Fedora 16.
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gdm-3.1.2-5.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
gdm-3.1.2-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.