--- /usr/share/selinux/policy/default.1.14/domains/program/xdm.te	2004-08-02 08:28:37.000000000 +0100
+++ domains/program/xdm.te	2004-08-28 17:30:08.000000000 +0100
@@ -28,7 +28,7 @@
 # for xdmctl
 allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
 allow initrc_t xdm_var_run_t:fifo_file unlink;
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, { dir fifo_file} )
 
 tmp_domain(xdm)
 var_lib_domain(xdm)
@@ -183,7 +183,8 @@
 
 allow xdm_t self:process { setpgid setsched };
 allow xdm_t etc_t:lnk_file read;
-allow xdm_t etc_runtime_t:file { getattr read };
+allow xdm_t etc_runtime_t:file { getattr read lock };
+allow xdm_t etc_runtime_t:dir { getattr search };
 
 # wdm has its own config dir /etc/X11/wdm
 # this is ugly, daemons should not create files under /etc!
@@ -327,3 +328,55 @@
 allow xdm_t crack_db_t:file r_file_perms;
 ')
 r_dir_file(xdm_t, selinux_config_t)
+
+# ARGH. damn qt libraries.
+# had to change /etc/qt3 to etc_runtime_t too
+allow xdm_t etc_runtime_t:file { write };
+	#EXE=/usr/bin/kdm_greet  NAME=.qtrc.lock   :  write
+	#EXE=/usr/bin/kdm_greet  NAME=.qt_plugins_3.2rc.lock   :  write
+	#EXE=/usr/bin/krootimage  NAME=.qtrc.lock   :  write
+	#EXE=/usr/bin/krootimage  NAME=.qt_plugins_3.2rc.lock   :  write
+
+# ARGH.
+dontaudit xdm_t sbin_t:dir { getattr };
+	#EXE=/usr/bin/kdm_greet  PATH=/usr/local/sbin   :  getattr
+	#EXE=/usr/bin/kdm_greet  PATH=/usr/sbin   :  getattr
+	#EXE=/usr/bin/kdm_greet  PATH=/sbin   :  getattr
+
+allow xdm_xserver_t initrc_tmp_t:dir { search };
+	#EXE=/usr/X11R6/bin/XFree86  NAME=.font-unix   :  search
+
+# allow xdm to run halt
+
+allow xdm_t init_t:process { signal };
+	#EXE=/sbin/halt   :  signal
+
+allow xdm_t xdm_t:capability { sys_boot };
+	#EXE=/sbin/halt   :  sys_boot
+
+can_exec(xdm_t, init_exec_t)
+	#EXE=/sbin/shutdown  NAME=init   :  execute
+
+
+allow xdm_xserver_t var_run_t:file { getattr read };
+	#EXE=/usr/X11R6/bin/XFree86  PATH=/var/run/xauth/A:0-4iQaw9   :  getattr
+	#EXE=/bin/cat  NAME=A:0-4iQaw9   :  read
+
+can_exec(xdm_t, xsession_exec_t)
+	#EXE=/usr/bin/kdm  PATH=/etc/kde3/kdm/Xstartup   :  execute_no_trans
+
+
+allow xdm_t xdm_var_run_t:sock_file { create setattr unlink };
+	#EXE=/usr/bin/kdm  NAME=socket   :  create
+
+
+allow xdm_xserver_t zero_device_t:chr_file { read write };
+	#EXE=/usr/X11R6/bin/XFree86  NAME=zero   :  read write
+
+
+allow xdm_t xdm_var_run_t:dir { rmdir setattr create };
+	#EXE=/usr/bin/kdm  NAME=xdmctl   :  create
+
+# to access /var/run/utmp
+allow xdm_t initrc_var_run_t:file { getattr };
+