diff -ru default/domains/program/xdm.te current/domains/program/xdm.te
--- default/domains/program/xdm.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xdm.te	2003-05-24 13:08:34.000000000 +0200
@@ -3,7 +3,7 @@
 # Authors:  Mark Westerman mark.westerman@westcam.com
 # 
 # Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
-#
+# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
 
 #################################
 # 
@@ -11,19 +11,29 @@
 #
 # xdm_t is the domain of a X Display Manager process 
 # spawned by getty.
-# xdm_exec_t is the type of the [xgk]dm program
+# xdm_exec_t is the type of the [xgkw]dm program
 #
 daemon_domain(xdm, `, privuser, privrole, auth, privowner, privmem')
 
 # for running xdm from init
 domain_auto_trans(init_t, xdm_exec_t, xdm_t)
 
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+
 tmp_domain(xdm)
 var_lib_domain(xdm)
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+# Added write access, not sure if it is required (Tom)
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read write };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 type xsession_exec_t, file_type, sysadmfile, exec_type;
+type etc_xdm_t, file_type, sysadmfile;
+
+# xdm_xserver_t needs to inherit the init file descriptors
+allow xdm_xserver_t initrc_t:fd { use };
+allow xdm_xserver_t initrc_t:fifo_file { read write };
 
 allow xdm_t default_context_t:file { read getattr };
 
@@ -35,13 +45,23 @@
 # for reboot
 allow xdm_t initctl_t:fifo_file write;
 
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t etc_xdm_t:file { read };
+
 #
 # Use capabilities.
-allow xdm_t self:capability { setgid setuid sys_resource kill };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_rawio };
+
+# Use shared memory (with itself)
+allow xdm_t xdm_t:shm { create destroy read unix_read unix_write write };
 
 # Use /dev/mem.
 # Commented out by default.
 #allow xdm_t memory_device_t:chr_file { execute read write };
+# wdm just asks for read access
+allow xdm_t memory_device_t:chr_file { read };
+# but xdm_xserver wants to write, too
+allow xdm_xserver_t memory_device_t:chr_file { read write };
 
 allow xdm_t random_device_t:chr_file { getattr read };
 
@@ -67,7 +87,6 @@
 
 # Access xdm log files.
 file_type_auto_trans(xdm_t, var_log_t, xserver_var_log_t)
-
 allow xdm_t xserver_var_log_t:file create_file_perms;
 
 allow userdomain xdm_xserver_t:unix_stream_socket connectto;
@@ -88,7 +107,7 @@
 allow xdm_t lastlog_t:file rw_file_perms;
 
 # Ask the security server for SIDs for user sessions.
-allow xdm_t security_t:security { get_user_sids context_to_sid };
+allow xdm_t security_t:security { get_user_sids context_to_sid sid_to_context };
 
 # Access the shared memory pseudo file system.
 # Should really define a derived type for this.
@@ -111,6 +130,11 @@
 allow xdm_t etc_t:lnk_file read;
 allow xdm_t etc_runtime_t:file { getattr read };
 
+# wdm has its own config dir /etc/X11/wdm
+file_type_auto_trans(xdm_t, etc_t, etc_xdm_t);
+allow xdm_t etc_xdm_t:file create_file_perms;
+allow xdm_t etc_xdm_t:dir rw_file_perms;
+
 # Signal any user domain.
 allow xdm_t userdomain:process signal_perms;
 
@@ -143,10 +167,23 @@
 dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
 
 # Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_var_log_t:file append;
+dontaudit unpriv_userdomain xserver_var_log_t:file { write append };
+
 
 # Access sound device.
 allow xdm_t sound_device_t:chr_file { setattr getattr };
 
 # Run the X server in a derived domain.
 xserver_domain(xdm)
+
+
+#
+# When the user session comes up, it checks the wdm config dir
+# and the authfiles in /var/lib/wdm/authdir/authfiles/
+allow user_t etc_xdm_t:dir { search };
+allow user_t xdm_exec_t:file { entrypoint };
+allow user_t xdm_var_lib_t:file { read write };
+
+# Also, it inherits an fd
+allow xdm_xserver_t user_t:fd { use };
+
diff -ru default/domains/program/xfs.te current/domains/program/xfs.te
--- default/domains/program/xfs.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xfs.te	2003-05-24 10:46:46.000000000 +0200
@@ -13,7 +13,15 @@
 #
 daemon_domain(xfs)
 
-tmp_domain(xfs)
+# tmp_domain(xfs)
+# for /tmp/.font-unix/fs7100
+type xfs_tmp_t, file_type, sysadmfile, tmpfile;
+file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
+
+allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
+allow xfs_t proc_t:file { getattr read };
+
+allow xfs_t self:process setpgid;
 
 # Use capabilities.
 allow xfs_t xfs_t:capability { setgid setuid };
@@ -21,3 +29,5 @@
 # Bind to /tmp/.font-unix/fs-1.
 allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
 
+allow xfs_t tmp_t:dir { search };
+
diff -ru default/domains/program/xserver.te current/domains/program/xserver.te
--- default/domains/program/xserver.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xserver.te	2003-05-24 11:04:36.000000000 +0200
@@ -34,3 +34,7 @@
 # Everything else is in the xserver_domain macro in
 # macros/program/xserver_macros.te.
 
+# XFree86-4 wants to check if kernel is tainted
+allow xdm_xserver_t sysctl_kernel_t:dir { search };
+allow xdm_xserver_t sysctl_kernel_t:file { getattr read };
+allow xdm_xserver_t sysctl_t:dir { search };
diff -ru default/file_contexts/program/xdm.fc current/file_contexts/program/xdm.fc
--- default/file_contexts/program/xdm.fc	2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/program/xdm.fc	2003-05-24 11:32:37.000000000 +0200
@@ -1,11 +1,19 @@
 # X Display Manager
-/usr/bin/[xgk]dm                system_u:object_r:xdm_exec_t
+/usr/bin/[xgkw]dm               system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/[xgkw]dm         system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/wdmLogin         system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm                 system_u:object_r:xdm_exec_t
-/var/[xgk]dm(/.*)?              system_u:object_r:xserver_var_log_t
-/usr/var/[xgk]dm(/.*)?          system_u:object_r:xserver_var_log_t
-/var/log/kdm\.log		system_u:object_r:xserver_var_log_t
+/usr/sbin/update_wdm_wmlist     system_u:object_r:xdm_exec_t
+/var/[xgkw]dm(/.*)?             system_u:object_r:xserver_var_log_t
+/usr/var/[xgkw]dm(/.*)?         system_u:object_r:xserver_var_log_t
+/var/log/[xgkw]dm\.log		system_u:object_r:xserver_var_log_t
 /tmp/\.X11-unix(/.*)?		system_u:object_r:initrc_xserver_tmp_t
 /tmp/\.X0-lock			system_u:object_r:xdm_tmp_t
 /etc/X11/Xsession[^/]*	--	system_u:object_r:xsession_exec_t
+/etc/X11/wdm(/.*)?		system_u:object_r:etc_xdm_t
+/etc/X11/wdm/Xsetup(_0)?	system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xstartup(_0)?	system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xreset(_0)?	system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xsession		system_u:object_r:xdm_exec_t
 /var/run/xdmctl			system_u:object_r:xdm_var_run_t
 /var/lib/kdm(/.*)?		system_u:object_r:xdm_var_lib_t