--- nsaserefpolicy/policy/modules/roles/xguest.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.5/policy/modules/roles/xguest.fc	2008-08-14 13:53:54.000000000 -0400
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
--- nsaserefpolicy/policy/modules/roles/xguest.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.5/policy/modules/roles/xguest.if	2008-08-14 13:53:54.000000000 -0400
@@ -0,0 +1,161 @@
+## <summary>Least privledge X Windows user role</summary>
+
+########################################
+## <summary>
+##	Change to the xguest role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`xguest_role_change_template',`
+	userdom_role_change_template($1, xguest)
+')
+
+########################################
+## <summary>
+##	Change from the xguest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the xguest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`xguest_role_change_to_template',`
+	userdom_role_change_template(xguest, $1)
+')
+
+########################################
+## <summary>
+##	Search the xguest users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_search_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 xguest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the xguest
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xguest_dontaudit_search_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	dontaudit $1 xguest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete xguest
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_manage_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 xguest_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to xguest home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_relabelto_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 xguest_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the xguest
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xguest_dontaudit_append_home_content_files',`
+	gen_require(`
+		type xguest_home_t;
+	')
+
+	dontaudit $1 xguest_home_t:file append;
+')
+
+########################################
+## <summary>
+##	Read files in the xguest users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_read_home_content_files',`
+	gen_require(`
+		type xguest_home_dir_t, xguest_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { xguest_home_dir_t xguest_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t)
+	read_lnk_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t)
+')
--- nsaserefpolicy/policy/modules/roles/xguest.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.5/policy/modules/roles/xguest.te	2008-08-14 13:53:54.000000000 -0400
@@ -0,0 +1,83 @@
+
+policy_module(xguest, 1.0.0)
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media, false)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network, false)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth, false)
+
+########################################
+#
+# Declarations
+#
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+	mozilla_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+	java_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+	mono_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+# Allow mounting of file systems
+optional_policy(`
+	tunable_policy(`xguest_mount_media',`
+		hal_dbus_chat(xguest_t)
+		init_read_utmp(xguest_t)
+		auth_list_pam_console_data(xguest_t)
+		kernel_read_fs_sysctls(xguest_t)
+		files_dontaudit_getattr_boot_dirs(xguest_t)
+		files_search_mnt(xguest_t)
+		fs_manage_noxattr_fs_files(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_getattr_noxattr_fs(xguest_t)
+		fs_read_noxattr_fs_symlinks(xguest_t)
+	')
+')
+
+optional_policy(`
+	hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+	tunable_policy(`xguest_connect_network',`
+		networkmanager_dbus_chat(xguest_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`xguest_use_bluetooth',`
+		bluetooth_dbus_chat(xguest_t)
+	')
+')
+