On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.
Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details). Therefore label it as xserver_exec_t.
This makes the following AVC appear:
denied { execute_no_trans } for pid=927 comm="X"
path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
scontext=system_u:system_r:xserver_t
tcontext=system_u:object_r:xserver_exec_t tclass=file
Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.