If I assign my username to sysadm_u selinux user, log out, and I can’t log back in through gdm. I can log in through a getty, which thankfully allows me to fix things back. The ausearch -m avc returns a bunch of denials from logind, gdm, init something…
Is this a completely dysfunctional selinux policy? I thought sysadm_u would be the top user that can do whatever with selinux and that no restrictions would exist (=selinux would execute anything) Is it sysadm_u completely not set up?
As already mentioned in your other topic, there is sufficient documentation about this phenomenon on the Internet and in the selinux-confined-users category: sysadm_u for security reasons by default does not allow graphical sessions - there is a boolean that has to changed in order to achieve that.
You can find more in earlier topics of the selinux-confined-users or on the Internet with regards to sysadm_u and semanage
No, but you need to be patient to learn how to use it: This is a complex technology, and it takes time to get used to it. Reviewing earlier topics and public documentation about selinux confined users can help to mitigate some issues that are normal in the beginning.
I already suggested in earlier topics that users who use confined user in production cases, especially if they are new to the technology, should enable root or any account with sudo and keep it unconfined_u, at least as long as it needs to be sure that one got used to the technology.
I echo what Chris said. I recall advising you about something similar a bit back:
If you really need to, you can disable SELinux via kernel option on boot, set the default level to permissive, and either revert or fix the policy for your user, and then once you aren’t getting unexpected AVC denials, set it back to enforcing. (You might not be able to sudo or su with that user policy.)