can't startx with selinux

[gxeyes]

I've installed a stage 3 with selinux support and emerged x server. Also relabeled the whole system after that just in case.

While the CLI side of the system seems to be in a working condition in enforce mode, trying to startx causes the system to hang with a blank screen, can't use ctrl-alt-fn to switch to another TTY.

If I use semanage permissive -a to put server_t, xauth_t, systemd_logind_t (elogind?) and system_dbusd_t into permissive mode, the x server can start and there are a bunch of AVC denies logged, such as can't { getattr } for "/" and can't { use } "/dev/dri/card0".

Does this point a broken install or missing some steps somewhere, or is this (startx manually) not a well supported use case for selinux on Gentoo?

Have two other basic questions:

1. I'm a bit more familiar with app armor, and when aa complains (logs denials in syslog) it is usually clear enough to add needed rules to the application's profile. I've been reading up on selinux concepts like labels and roles but can't even find where the profile/policy for x server would be on the system, let alone trying to modify it. Would appreciate any pointers on getting started here in case I need to "fix" the x server ones or create more custom rules.

2. What's an effective way to search for selinux answers on the internet?
If I search for the actual error message, it seems that 99% of the results are bug reports and take the form of:
user: X app doesn't work in selinux, is this a bug?
dev: try this patch?
user: it works
dev: will be fixed in the next release
without any detailed "technical info" or how was it fixed.

[alamahant]

Plz try