Hello,
I have just started with SELinux and distro is Gentoo. What is the best way to get those base policies that you could shutdown and boot the computer in enforce mode. I shut the computer in permissive mode and then started it. Then I used audit2allow to create the policies. That's how I did it. I don't know is this the best way and are there better ways to do it.
Second question is about logging in.I can't log in when I'm in enforce mode and using staff_r role, I get this message:
"Your account has expired;please contact your system administrator."

Always when I'm logging in at permissive mode as staff_r or user_r role , I'll get these messages
"Warning! Could not get current context for /dev/tty2, not relabeling."
"Warning! Could not get current context for /dev/vcs2, not relabeling."
"Warning! Could not get current context for /dev/vcsa2, not relabeling."
Are these two things related.
I have tried to solve this with audit2allow in permissive mode and create those policies about logging.
But I don't know what is the problem here. I can log in as root with both modes.

Hello, again

"Problems" solved, few SELinux options were missing from kernel. Now users can log in without warnings.

Cool. Which options where missing just in case someone else stumbles on this thread later on?

I changed my kernel to newer one, so I have missed these

[*] /dev/pts Extended Attributes
[*] /dev/pts Security Labels
[*] Virtual memory file system support (former shm fs)
[*] tmpfs Extended Attributes
[*] tmpfs Security Labels

when I did that. But now I know, that I should check very carefully everything when I do "make menuconfig".