diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
index ce614b41b..e87000a5c 100644
--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
@@ -1,2 +1,3 @@
 root:root:s0-mcs_systemhigh
 __default__:user_u:s0
+sddm:xdm:s0
diff --git a/config/appconfig-mcs/xdm_default_contexts b/config/appconfig-mcs/xdm_default_contexts
new file mode 100644
index 000000000..08c88c0f0
--- /dev/null
+++ b/config/appconfig-mcs/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t:s0		system_r:xdm_t:s0
diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers
index 4e500b098..38414fee9 100644
--- a/config/appconfig-mls/seusers
+++ b/config/appconfig-mls/seusers
@@ -1,2 +1,3 @@
 root:root:s0-mls_systemhigh
 __default__:user_u:s0
+sddm:xdm:s0
diff --git a/config/appconfig-mls/xdm_default_contexts b/config/appconfig-mls/xdm_default_contexts
new file mode 100644
index 000000000..08c88c0f0
--- /dev/null
+++ b/config/appconfig-mls/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t:s0		system_r:xdm_t:s0
diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers
index f7c5bd27a..f6066b507 100644
--- a/config/appconfig-standard/seusers
+++ b/config/appconfig-standard/seusers
@@ -1,2 +1,3 @@
 root:root
 __default__:user_u
+sddm:xdm:s0
diff --git a/config/appconfig-standard/xdm_default_contexts b/config/appconfig-standard/xdm_default_contexts
new file mode 100644
index 000000000..af1cb2e77
--- /dev/null
+++ b/config/appconfig-standard/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t		system_r:xdm_t
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 1dad0b470..a4e7b7e7c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -62,6 +62,10 @@ gen_tunable(xserver_object_manager, false)
 ## </desc>
 gen_tunable(xserver_allow_dri, false)
 
+# for sddm to use pam for greeter
+role xdm_r;
+allow system_r xdm_r;
+
 attribute x_domain;
 
 # X Events
@@ -145,6 +149,7 @@ fs_associate_tmpfs(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 
 type xdm_t;
+role xdm_r types xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)
 init_domain(xdm_t, xdm_exec_t)
@@ -843,6 +848,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
+# for sddm to use pam for greeter, sddm greeter needs execmod
+allow xdm_t xdm_tmpfs_t:file execmod;
+
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 
@@ -1009,3 +1017,6 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard { getattr setatt
 allow xserver_unconfined_type xextension_type:x_extension { query use };
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource { read write };
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } { send receive };
+
+# for sddm to use pam for greeter
+gen_user(xdm,, xdm_r, s0, s0)