This is causing the welcome program to run as unconfined_t and prevents confined users from logging in. Removing pam_selinux from the stack (as well as pam_namespace) changes the entire xdm suite to run as xdm_t as it should and allows me to login as staff_t not, unconfined_t. If you want to use pam at all, you probably want a very limited stack.
i'll push a fix now that culls the pam list a bit in the service file, to prevent the greeter from running unconfined. There's another problem where the pam conversation is run in the main slave process instead of a welcome specific subprocess, so the subsequent worker processes are run as if they're part of the welcome session. I'll address that when I get time to work on this upstream.
gdm-3.1.2-5.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/gdm-3.1.2-5.fc16
Package gdm-3.1.2-5.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gdm-3.1.2-5.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/gdm-3.1.2-5.fc16 then log in and leave karma (feedback).
gdm-3.1.2-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.