diff --git a/gdm-2.19.6-selinux.patch b/gdm-2.19.6-selinux.patch
deleted file mode 100644
index 415f5d4..0000000
--- a/gdm-2.19.6-selinux.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-diff -up gdm-2.19.6/configure.ac.selinux gdm-2.19.6/configure.ac
---- gdm-2.19.6/configure.ac.selinux	2007-08-24 11:25:38.000000000 -0400
-+++ gdm-2.19.6/configure.ac	2007-08-24 11:25:54.000000000 -0400
-@@ -72,8 +72,6 @@ AC_ARG_WITH(dmx,
-   [  --with-dmx=[auto/yes/no]  Add DMX (Distributed Multihead X) support [default=auto]],,
-   with_dmx=auto)
- 
--AC_ARG_WITH(selinux, [  --with-selinux  Add SELinux support])
--
- AC_ARG_WITH(console-kit,
-   [  --with-console-kit=[auto/yes/no]  Add ConsoleKit support [default=auto]],,
-   with_console_kit=auto)
-@@ -805,30 +803,6 @@ fi
- 
- 
- #
--# SELinux stuff
--#
--if test "x$with_selinux" = "xyes" ; then
--	echo "SELinux support requested (--with-selinux was given), checking prerequisites"
--	if test -d /usr/local/selinux/include ; then
--		echo "Found /usr/local/selinux/include, will look there for SELinux stuff as well"
--		CFLAGS="$CFLAGS -I/usr/local/selinux/include"
--		LDFLAGS="$LDFLAGS -L/usr/local/selinux/lib"
--	fi
--	AC_CHECK_HEADER(selinux/selinux.h)
--	AC_CHECK_HEADER(selinux/get_context_list.h)
--	AC_CHECK_LIB(attr,attr_get,/bin/true)
--	# I'm anal and I don't know which versions have which symbols,
--	# so I check for all the ones we use
--	AC_CHECK_LIB(selinux,get_ordered_context_list,/bin/true)
--	AC_CHECK_LIB(selinux,freecon,/bin/true)
--	AC_CHECK_LIB(selinux,freeconary,/bin/true)
--	AC_CHECK_LIB(selinux,setexeccon,/bin/true)
--	AC_CHECK_LIB(selinux,is_selinux_enabled,/bin/true)
--	AC_DEFINE(HAVE_SELINUX)
--	EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lselinux -lattr"
--fi
--
--#
- # ConsoleKit support
- #
- use_console_kit=no
-@@ -1447,13 +1421,6 @@ else
- 	echo "Console helper                        : NO"
- fi
- 
--dnl <= SELinux support =>
--if test "x$with_selinux" = "xyes" ; then
--	echo "SELinux support                       : YES"
--else
--	echo "SELinux support                       : NO"
--fi
--
- dnl <= Solaris Trusted Extensions support =>
- if test "x$found_tsol" = "xyes" ; then
- 	echo "Solaris Trusted Extensions support    : YES"
-diff -up gdm-2.19.6/daemon/slave.c.selinux gdm-2.19.6/daemon/slave.c
---- gdm-2.19.6/daemon/slave.c.selinux	2007-08-24 11:24:34.000000000 -0400
-+++ gdm-2.19.6/daemon/slave.c	2007-08-24 11:24:52.000000000 -0400
-@@ -87,11 +87,6 @@
- #include <user_attr.h>
- #endif
- 
--#ifdef HAVE_SELINUX
--#include <selinux/selinux.h>
--#include <selinux/get_context_list.h>
--#endif /* HAVE_SELINUX */
--
- #include <glib/gi18n.h>
- #include <gdk/gdkx.h>
- #include <gtk/gtk.h>
-@@ -3521,48 +3516,6 @@ open_xsession_errors (struct passwd *pwe
- 	return logfd;
- }
- 
--#ifdef HAVE_SELINUX
--/* This should be run just before we exec the user session */
--static gboolean
--gdm_selinux_setup (const char *login)
--{
--	security_context_t scontext;
--	int ret=-1;
--	char *seuser=NULL;
--	char *level=NULL;
--
--	/* If selinux is not enabled, then we don't do anything */
--	if (is_selinux_enabled () <= 0)
--		return TRUE;
--
--	if (getseuserbyname(login, &seuser, &level) == 0)
--		ret=get_default_context_with_level(seuser, level, 0, &scontext);
--
--	if (ret < 0) {
--		gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
--		/* note that this will be run when the .xsession-errors
--		   is already being logged, so we can use stderr */
--		gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
-- 		return (security_getenforce()==0);
--	}
--
--	gdm_assert (scontext != NULL);
--
--	if (setexeccon (scontext) != 0) {
--		gdm_error ("SELinux gdm login: unable to set executable context %s.",
--			   (char *)scontext);
--		gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
--			      (char *)scontext);
--		freecon (scontext);
--		return (security_getenforce()==0);
--	}
--
--	freecon (scontext);
--
--	return TRUE;
--}
--#endif /* HAVE_SELINUX */
--
- static void
- session_child_run (struct passwd *pwent,
- 		   int logfd,
-@@ -4048,16 +4001,6 @@ session_child_run (struct passwd *pwent,
- 	}
- #endif
- 
--#ifdef HAVE_SELINUX
--	if ( ! gdm_selinux_setup (pwent->pw_name)) {
--		/* 66 means no "session crashed" examine .xsession-errors
--		   dialog */
--		gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
--			       _("Error! Unable to set executable context."));
--		_exit (66);
--	}
--#endif
--
-         g_shell_parse_argv (fullexec->str, NULL, &argv, NULL);
- 	VE_IGNORE_EINTR (execv (argv[0], argv));
- 	g_strfreev (argv);
diff --git a/gdm-2.19.8-selinux.patch b/gdm-2.19.8-selinux.patch
new file mode 100644
index 0000000..db360b9
--- /dev/null
+++ b/gdm-2.19.8-selinux.patch
@@ -0,0 +1,144 @@
+diff -up gdm-2.19.8/configure.ac.selinux gdm-2.19.8/configure.ac
+diff -up gdm-2.19.8/daemon/slave.c.selinux gdm-2.19.8/daemon/slave.c
+--- gdm-2.19.8/daemon/slave.c.selinux	2007-09-07 11:40:58.000000000 -0400
++++ gdm-2.19.8/daemon/slave.c	2007-09-07 12:21:37.000000000 -0400
+@@ -89,7 +89,6 @@
+ 
+ #ifdef HAVE_SELINUX
+ #include <selinux/selinux.h>
+-#include <selinux/get_context_list.h>
+ #endif /* HAVE_SELINUX */
+ 
+ #include <glib/gi18n.h>
+@@ -172,6 +171,10 @@ static uid_t logged_in_uid             =
+ static gid_t logged_in_gid             = -1;
+ #endif
+ 
++#ifdef HAVE_SELINUX
++security_context_t logged_in_context   = NULL;
++#endif 
++
+ static int greeter_fd_out              = -1;
+ static int greeter_fd_in               = -1;
+ 
+@@ -2036,6 +2039,7 @@ restart_the_greeter (void)
+ 	gdm_slave_sensitize_config ();
+ }
+ 
++
+ static gboolean
+ play_login_sound (const char *sound_file)
+ {
+@@ -3519,48 +3523,6 @@ open_xsession_errors (struct passwd *pwe
+ 	return logfd;
+ }
+ 
+-#ifdef HAVE_SELINUX
+-/* This should be run just before we exec the user session */
+-static gboolean
+-gdm_selinux_setup (const char *login)
+-{
+-	security_context_t scontext;
+-	int ret=-1;
+-	char *seuser=NULL;
+-	char *level=NULL;
+-
+-	/* If selinux is not enabled, then we don't do anything */
+-	if (is_selinux_enabled () <= 0)
+-		return TRUE;
+-
+-	if (getseuserbyname(login, &seuser, &level) == 0)
+-		ret=get_default_context_with_level(seuser, level, 0, &scontext);
+-
+-	if (ret < 0) {
+-		gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
+-		/* note that this will be run when the .xsession-errors
+-		   is already being logged, so we can use stderr */
+-		gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
+- 		return (security_getenforce()==0);
+-	}
+-
+-	gdm_assert (scontext != NULL);
+-
+-	if (setexeccon (scontext) != 0) {
+-		gdm_error ("SELinux gdm login: unable to set executable context %s.",
+-			   (char *)scontext);
+-		gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
+-			      (char *)scontext);
+-		freecon (scontext);
+-		return (security_getenforce()==0);
+-	}
+-
+-	freecon (scontext);
+-
+-	return TRUE;
+-}
+-#endif /* HAVE_SELINUX */
+-
+ static void
+ session_child_run (struct passwd *pwent,
+ 		   int logfd,
+@@ -3801,6 +3763,10 @@ session_child_run (struct passwd *pwent,
+                         close (iceauth_fd);
+         }
+ 
++#ifdef HAVE_SELINUX
++        setexeccon (logged_in_context);
++#endif
++
+ 	NEVER_FAILS_setegid (pwent->pw_gid);
+ #ifdef HAVE_LOGINCAP
+ 	if (setusercontext (NULL, pwent, pwent->pw_uid,
+@@ -4046,16 +4012,6 @@ session_child_run (struct passwd *pwent,
+ 	}
+ #endif
+ 
+-#ifdef HAVE_SELINUX
+-	if ( ! gdm_selinux_setup (pwent->pw_name)) {
+-		/* 66 means no "session crashed" examine .xsession-errors
+-		   dialog */
+-		gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
+-			       _("Error! Unable to set executable context."));
+-		_exit (66);
+-	}
+-#endif
+-
+         g_shell_parse_argv (fullexec->str, NULL, &argv, NULL);
+ 	VE_IGNORE_EINTR (execv (argv[0], argv));
+ 	g_strfreev (argv);
+@@ -4741,6 +4697,11 @@ gdm_slave_session_start (void)
+ 
+ 	NEVER_FAILS_root_set_euid_egid (0, gdm_daemon_config_get_gdmgid ());
+ 
++#ifdef HAVE_SELINUX
++        getexeccon (&logged_in_context);
++        setexeccon (NULL);
++#endif
++
+ 	if G_UNLIKELY ( ! authok) {
+ 		gdm_debug ("gdm_slave_session_start: Auth not OK");
+ 
+@@ -5009,6 +4970,10 @@ gdm_slave_session_stop (gboolean run_pos
+ 	seteuid (0);
+ 	setegid (0);
+ 
++#ifdef HAVE_SELINUX
++        setexeccon (NULL);
++#endif
++
+ 	gdm_slave_send_num (GDM_SOP_SESSPID, 0);
+ 
+ 	/* Now still as root make the system authfile not readable by others,
+@@ -5069,6 +5034,12 @@ gdm_slave_session_stop (gboolean run_pos
+ 	logged_in_uid = -1;
+ 	logged_in_gid = -1;
+ 
++#ifdef HAVE_SELINUX
++        setexeccon (logged_in_context);
++	freecon (logged_in_context);
++	logged_in_context = NULL;
++#endif
++
+ 	/* things are going to be killed, so ignore errors */
+ 	XSetErrorHandler (ignore_xerror_handler);
+ 
diff --git a/gdm.spec b/gdm.spec
index b078eb5..1361ef0 100644
--- a/gdm.spec
+++ b/gdm.spec
@@ -53,7 +53,7 @@ Patch33: gdm-2.19.6-pass-ats-to-session.patch
 Patch35: gdmsetup-path.patch
 
 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=254164
-Patch37: gdm-2.19.6-selinux.patch
+Patch37: gdm-2.19.8-selinux.patch
 
 Patch100: gdm-2.19.6-change-defaults.patch
 
@@ -348,6 +348,9 @@ fi
 %{_datadir}/pixmaps/faces/extras/*.jpg
 
 %changelog
+* Fri Sep  7 2007 Ray Strode <rstrode@redhat.com> - 1:2.19.8-2
+- make things work better for xguest users (bug 254164)
+
 * Fri Sep  7 2007 Matthias Clasen <mclasen@redhat.com> - 1:2.19.8-1
 - Update to 2.19.8