IdM server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the IdM based on custom rules. However, the default configured SELinux user (guest_u:s0) used when no custom rule matches is too constraining. An IdM user authenticating to Red Hat Enterprise Linux 6.4 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the IdM server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023:
ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
An unconfined SELinux user will be now assigned to the IdM user by default, which will allow the user to successfully authenticate through graphical interface.