policy_module(xguest, 1.1.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow xguest users to mount removable media
## </p>
## </desc>
gen_tunable(xguest_mount_media, false)

## <desc>
## <p>
## Allow xguest to configure Network Manager
## </p>
## </desc>
gen_tunable(xguest_connect_network, false)

## <desc>
## <p>
## Allow xguest to use blue tooth devices
## </p>
## </desc>
gen_tunable(xguest_use_bluetooth, false)

role xguest_r;

userdom_restricted_xwindows_user_template(xguest)

########################################
#
# Local policy
#

ifndef(`enable_mls',`
	fs_exec_noxattr(xguest_t)

	tunable_policy(`user_rw_noexattrfile',`
		fs_manage_noxattr_fs_files(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		# Write floppies 
		storage_raw_read_removable_device(xguest_t)
		storage_raw_write_removable_device(xguest_t)
	',`
		storage_raw_read_removable_device(xguest_t)
	')
')

# Allow mounting of file systems
optional_policy(`
	tunable_policy(`xguest_mount_media',`
		kernel_read_fs_sysctls(xguest_t)

		files_dontaudit_getattr_boot_dirs(xguest_t)
		files_search_mnt(xguest_t)

		fs_manage_noxattr_fs_files(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		fs_getattr_noxattr_fs(xguest_t)
		fs_read_noxattr_fs_symlinks(xguest_t)

		auth_list_pam_console_data(xguest_t)

		init_read_utmp(xguest_t)
	')
')

optional_policy(`
	tunable_policy(`xguest_use_bluetooth',`
		bluetooth_dbus_chat(xguest_t)
	')
')

optional_policy(`
	hal_dbus_chat(xguest_t)
')

optional_policy(`
	java_role(xguest_r, xguest_t)
')

optional_policy(`
	mozilla_role(xguest_r, xguest_t)
')

optional_policy(`
	tunable_policy(`xguest_connect_network',`
		networkmanager_dbus_chat(xguest_t)
		corenet_tcp_connect_pulseaudio_port(xguest_t)
		corenet_tcp_connect_ipp_port(xguest_t)
	')
')

#gen_user(xguest_u,, xguest_r, s0, s0)