According to the SELinux wiki, the default is already set at handle-unknown=deny. Furthermore, it says Note: to activate any change, the base policy needs to be reloaded with the semodule -b command (as semodule -R does not change them).
Note: to activate any change, the the base policy needs to be reloaded with with the semodule -b command (as semodule semodule -R does not change them).
Furthermore, take a look at the section about /etc/security/sepermit.conf; it seems that the /etc/pam.d/gdm file should be configured by changing the sepermit.conf file--since the sepermit.conf file is being read by the files in /etc/pam.d/ directory during login.