selinux-policy/xdm_entrypoint_pam.patch

Index: fedora-policy/policy/modules/roles/unconfineduser.te
===================================================================
--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
+++ fedora-policy/policy/modules/roles/unconfineduser.te
@@ -126,6 +126,10 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		xdm_entrypoint(unconfined_t)
+	')
+
+	optional_policy(`
 		abrt_dbus_chat(unconfined_t)
 		abrt_run_helper(unconfined_t, unconfined_r)
 	')
Index: fedora-policy/policy/modules/services/xserver.if
===================================================================
--- fedora-policy.orig/policy/modules/services/xserver.if
+++ fedora-policy/policy/modules/services/xserver.if
@@ -507,6 +507,23 @@ interface(`xserver_domtrans_xdm',`
 	domtrans_pattern($1, xdm_exec_t, xdm_t)
 ')
 
+########################################
+## <summary>
+##      Allow any xdm_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xdm_entrypoint',`
+        gen_require(`
+                type xdm_exec_t;
+        ')
+        allow $1 xdm_exec_t:file entrypoint;
+')
 
 ########################################
 ## <summary>