Comment 7 for bug 449712

gdm now uses a cache directory at /usr/share/gdm for dmrc files. Upon login, it reads files from the cache only. Once you've logged in, it will then sync the .dmrc file in your home directory to the cache location _if_ the .dmrc file in your home directory is owned by you.

Since the guest-session-setup.sh script would create the .dmrc file in the guest user directory, and not in the cache directory, it was not being read by gdm. gdm was using the default session, which was not protected by apparmor.

This problem is fixed by modifying guest-session-setup.sh to create the dmrc file in the gdm cache directory with root ownership. guest-session-cleanup.sh now removes the dmrc file from the cache directory to make sure the guest user can't poison it.