On my system gnome-shell is getting launched as unconfined_t, but inspecting the default policy source shows that theres already a window manager module (wm.te, wm.fc, wm.if):
https://sources.debian.org/src/refpolicy/2%3A2.20250213-11/policy/modules/apps/wm.te which does give the execmem permission among other things, but only for wm_domain. The problem then is that gnome-shell is being launched as unconfined instead of wm_domain. My selinux is rusty but if I fix it I will post a solution. Then we don't have to allow execmem for everything.
