diff --git a/apparmor.d/profiles-s-z/xdm-xsession b/apparmor.d/profiles-s-z/xdm-xsession
new file mode 100644
index 00000000..a9eca8de
--- /dev/null
+++ b/apparmor.d/profiles-s-z/xdm-xsession
@@ -0,0 +1,95 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{etc_ro}/X11/xdm/Xsession
+profile xdm-xsession @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/dconf-write>
+  include <abstractions/openssl>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}bin/basename           rix,
+  /{usr/,}bin/cat                rix,
+  /{usr/,}bin/gpg-agent          rix,
+  /{usr/,}bin/gpg-connect-agent  rix,
+  /{usr/,}bin/grep               rix,
+  /{usr/,}bin/locale             rix,
+  /{usr/,}bin/manpath            rix,
+  /{usr/,}bin/readlink           rix,
+  /{usr/,}bin/sed                rix,
+  /{usr/,}bin/ssh-agent          rix,
+  /{usr/,}bin/tty                rix,
+  /{usr/,}bin/uname              rix,
+
+  /{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
+  /{usr/,}bin/flatpak                            rPUx,
+  /{usr/,}bin/pidof                              rPx,
+  /{usr/,}bin/systemctl                          rPx -> child-systemctl,
+  /{usr/,}bin/xdg-user-dirs-update               rPx,
+  /{usr/,}bin/xrdb                               rPx,
+
+  @{libexec}/gnome-session-binary                rPx,
+  /{usr/,}bin/gnome                              rix,
+  /{usr/,}bin/gnome-session                      rix,
+  /{usr/,}bin/gsettings                          rix,
+
+  @{etc_ro}/X11/xdm/sys.xsession                    rix,
+  @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh  rix,
+  @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh    rix,
+  @{libexec}/xinit/xinitrc                          rix,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/bash-completion/{,**} r,
+
+  @{etc_ro}/X11/xdm/scripts/{,*} r,
+  @{etc_ro}/X11/xinit/xinitrc.common r,
+  @{etc_ro}/X11/xinit/xinitrc.d/{,*} r,
+  @{etc_ro}/X11/xim r,
+  @{etc_ro}/X11/xim.d/none r,
+  @{etc_ro}/profile.d/{,*} r,
+  /etc/gcrypt/hwf.deny r,
+  /etc/locale.conf r,
+  /etc/manpath.config r,
+  /etc/sysconfig/* r,
+  /etc/shells r,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/.alias r,
+  owner @{HOME}/.i18n r,
+
+  owner @{run}/user/@{uid}/gnupg/ rw,
+  owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
+  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
+  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
+  owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{run}/user/@{uid}/gnupg/sshcontrol r,
+
+  owner /tmp/ssh-*/ rw,
+  owner /tmp/ssh-*/agent.* rw,
+
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+        /dev/tty rw,
+  owner /dev/tty[0-9]* rw,
+
+  profile dbus {
+    include <abstractions/base>
+
+    /{usr/,}bin/dbus-update-activation-environment mr,
+
+    owner @{run}/user/@{uid}/bus rw,
+
+    include if exists <local/xdm-xsession_dbus>
+  }
+
+  include if exists <local/xdm-xsession>
+}
\ No newline at end of file