policy_module(mlswm, 1.0.0)
# optional_policy(`
gen_require(`
	type staff_t, xdm_var_lib_t, root_xdrawable_t, xdm_t, xserver_t;
	role staff_r;
	class x_drawable { read write add_child };
	class x_client { destroy };
	class x_resource { write };
	class x_keyboard { read manage };
	class x_pointer { get_property manage set_property list_property };
	class x_screen { saver_setattr };
	class x_server { manage };
')

allow staff_t xdm_var_lib_t:file { read open };

allow staff_t root_xdrawable_t:x_drawable write;
allow staff_t xdm_t:x_client destroy;
allow staff_t xdm_t:x_drawable { read add_child };
allow staff_t xdm_t:x_resource write;
allow staff_t xserver_t:x_keyboard { read manage };
allow staff_t xserver_t:x_pointer { get_property manage set_property list_property };
allow staff_t xserver_t:x_screen saver_setattr;
allow staff_t xserver_t:x_server manage;

mlswm_role(staff, staff_r, staff_t)
# ')