diff --git a/build_files/base/01-base-system.sh b/build_files/base/01-base-system.sh
index fc17efa..4573637 100755
--- a/build_files/base/01-base-system.sh
+++ b/build_files/base/01-base-system.sh
@@ -12,11 +12,13 @@ dnf5 -y clean all
 ### Enable Hypercube COPR for custom packages
 dnf5 -y copr enable binarypie/hypercube
 
-### Display Manager: greetd + hypercube-utils
-# hypercube-utils provides hypercube-greeter and hypercube-onboard (run directly on TTY)
+### Display Manager: greetd + cage + hypercube-utils
+# cage: minimal Wayland compositor for kiosk/greeter mode
+# hypercube-utils provides hypercube-greeter and hypercube-onboard
 dnf5 -y install \
     greetd \
     greetd-selinux \
+    cage \
     hypercube-utils
 
 ### Desktop Portals & Integration
@@ -95,7 +97,22 @@ if ! id -u greeter &>/dev/null; then
     useradd -r -M -s /usr/bin/nologin greeter
 fi
 
+### SELinux Policy: Allow greeter to allocate PTYs and use io_uring
+# Install policy development tools (will be removed by cleanup)
+dnf5 -y install selinux-policy-devel
+
+# Compile and install the greeter policy module
+SELINUX_DIR="/usr/share/hypercube/selinux"
+pushd "$SELINUX_DIR"
+make -f /usr/share/selinux/devel/Makefile hypercube-greeter.pp
+semodule -i hypercube-greeter.pp
+popd
+
+# Clean up build artifacts (keep .te for reference)
+rm -f "$SELINUX_DIR"/*.pp "$SELINUX_DIR"/*.if "$SELINUX_DIR"/*.fc
+
 ### Enable services
+systemctl enable devpts-ptmxmode.service
 systemctl enable greetd.service
 systemctl enable NetworkManager.service
 systemctl enable bluetooth.service
diff --git a/build_files/hypercube/99-tests.sh b/build_files/hypercube/99-tests.sh
index ca64a37..7ad8c11 100755
--- a/build_files/hypercube/99-tests.sh
+++ b/build_files/hypercube/99-tests.sh
@@ -10,6 +10,7 @@ echo "Running Hypercube validation tests..."
 REQUIRED_PACKAGES=(
   # Display manager
   "greetd"
+  "cage"
   "hypercube-utils"
   # Hyprland stack
   "hyprland"
diff --git a/system_files/shared/etc/greetd/config.toml b/system_files/shared/etc/greetd/config.toml
index 4d964d7..d17d7d4 100644
--- a/system_files/shared/etc/greetd/config.toml
+++ b/system_files/shared/etc/greetd/config.toml
@@ -2,9 +2,9 @@
 vt = 1
 
 [default_session]
-command = "hypercube-greeter"
+command = "cage -s -- ghostty-kiosk hypercube-greeter"
 user = "greeter"
 
 [initial_session]
-command = "hypercube-onboard --config /usr/share/hypercube/config/hypercube-onboard/onboard.toml"
+command = "cage -s -- ghostty-kiosk 'hypercube-onboard --config /usr/share/hypercube/config/hypercube-onboard/onboard.toml'"
 user = "root"
diff --git a/system_files/shared/usr/lib/systemd/system/devpts-ptmxmode.service b/system_files/shared/usr/lib/systemd/system/devpts-ptmxmode.service
new file mode 100644
index 0000000..e2bc05b
--- /dev/null
+++ b/system_files/shared/usr/lib/systemd/system/devpts-ptmxmode.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Fix devpts mount options for PTY allocation
+DefaultDependencies=no
+After=systemd-remount-fs.service
+Before=greetd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/mount -o remount,mode=620,gid=5,ptmxmode=0666 devpts /dev/pts
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target
diff --git a/system_files/shared/usr/share/hypercube/migrations/001-greetd-cage-greeter.sh b/system_files/shared/usr/share/hypercube/migrations/001-greetd-cage-greeter.sh
new file mode 100644
index 0000000..fb2e8dd
--- /dev/null
+++ b/system_files/shared/usr/share/hypercube/migrations/001-greetd-cage-greeter.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Migration: Update greetd to use cage + ghostty for greeter
+
+set -euo pipefail
+
+CONFIG="/etc/greetd/config.toml"
+
+# Skip if file doesn't exist
+[[ -f "$CONFIG" ]] || exit 0
+
+# Skip if already using cage greeter
+grep -q 'cage -s -- ghostty-kiosk hypercube-greeter' "$CONFIG" && exit 0
+
+echo "Updating greetd default_session to use cage + ghostty-kiosk..."
+
+# Only update the default_session command line
+sed -i '/^\[default_session\]/,/^\[/ s|^command = .*|command = "cage -s -- ghostty-kiosk hypercube-greeter"|' "$CONFIG"
+
+echo "greetd config updated"
diff --git a/system_files/shared/usr/share/hypercube/migrations/001-greetd-remove-cage.sh b/system_files/shared/usr/share/hypercube/migrations/001-greetd-remove-cage.sh
deleted file mode 100644
index acbfd46..0000000
--- a/system_files/shared/usr/share/hypercube/migrations/001-greetd-remove-cage.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-# Migration: Remove cage references from greetd config
-
-set -euo pipefail
-
-CONFIG="/etc/greetd/config.toml"
-
-# Skip if file doesn't exist
-[[ -f "$CONFIG" ]] || exit 0
-
-# Skip if already migrated (no cage reference)
-grep -q "cage" "$CONFIG" || exit 0
-
-echo "Updating greetd config to remove cage..."
-
-cat > "$CONFIG" << 'EOF'
-[terminal]
-vt = 1
-
-[default_session]
-command = "hypercube-greeter"
-user = "greeter"
-
-[initial_session]
-command = "hypercube-onboard --config /usr/share/hypercube/config/hypercube-onboard/onboard.toml"
-user = "root"
-EOF
-
-echo "greetd config updated"
diff --git a/system_files/shared/usr/share/hypercube/selinux/hypercube-greeter.te b/system_files/shared/usr/share/hypercube/selinux/hypercube-greeter.te
new file mode 100644
index 0000000..ede400b
--- /dev/null
+++ b/system_files/shared/usr/share/hypercube/selinux/hypercube-greeter.te
@@ -0,0 +1,15 @@
+policy_module(hypercube-greeter, 1.0)
+
+require {
+    type xdm_t;
+    type ptmx_t;
+    type io_uring_t;
+    class chr_file { read write open getattr ioctl };
+    class anon_inode { create };
+}
+
+# Allow display manager (greetd/greeter) to allocate PTYs
+allow xdm_t ptmx_t:chr_file { read write open getattr ioctl };
+
+# Allow display manager to use io_uring (used by ghostty)
+allow xdm_t io_uring_t:anon_inode { create };