From 0616a92eda55275cc611bfc7090451d08ec4c29a Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Oct 04 2012 10:16:47 +0000
Subject: changes to the guest policy module


Ported from Fedora with changes

We should probably modify userdom_login_user_template() instead to allow
all login users to read system state files

We might want to make the apache_role() conditional

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

---

diff --git a/guest.if b/guest.if
index 8906a32..ad1653f 100644
--- a/guest.if
+++ b/guest.if
@@ -1,4 +1,4 @@
-## <summary>Least privledge terminal user role</summary>
+## <summary>Least privledge terminal user role.</summary>
 
 ########################################
 ## <summary>
diff --git a/guest.te b/guest.te
index 1cb7311..d928711 100644
--- a/guest.te
+++ b/guest.te
@@ -1,4 +1,4 @@
-policy_module(guest, 1.2.0)
+policy_module(guest, 1.2.1)
 
 ########################################
 #
@@ -9,9 +9,15 @@ role guest_r;
 
 userdom_restricted_user_template(guest)
 
+kernel_read_system_state(guest_t)
+
 ########################################
 #
 # Local policy
 #
 
-#gen_user(guest_u,, guest_r, s0, s0)
+optional_policy(`
+	apache_role(guest_r, guest_t)
+')
+
+#gen_user(guest_u, user, guest_r, s0, s0)