From c7e4c1da8caa4cd04faa23941277553df5915020 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 13 Oct 2021 14:42:42 -0400
Subject: [PATCH] mpd, pulseaudio: split domtrans and client access

Split `pulseaudio_domtrans()` into two interfaces: one that grants
transition access and the other the `pulseaudio_client` attribute. This
fixes a build error because calls to `pulseaudio_domtrans()` by the role
would associate the client attribute with the user exec domain
attribute.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/apps/pulseaudio.if | 26 ++++++++++++++++++++------
 policy/modules/services/mpd.te    |  1 +
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index ea109ee96..b2d2f1d43 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -59,6 +59,25 @@ template(`pulseaudio_role',`
 	')
 ')
 
+########################################
+## <summary>
+##	Connect to pulseaudio and manage
+##	pulseaudio config data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_client_domain',`
+	gen_require(`
+		attribute pulseaudio_client;
+	')
+
+	typeattribute $1 pulseaudio_client;
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to run pulseaudio.
@@ -71,12 +90,9 @@ template(`pulseaudio_role',`
 #
 interface(`pulseaudio_domtrans',`
 	gen_require(`
-		attribute pulseaudio_client;
 		type pulseaudio_t, pulseaudio_exec_t;
 	')
 
-	typeattribute $1 pulseaudio_client;
-
 	corecmd_search_bin($1)
 	domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
 ')
@@ -100,12 +116,10 @@ interface(`pulseaudio_domtrans',`
 #
 interface(`pulseaudio_run',`
 	gen_require(`
-		attribute pulseaudio_client;
 		attribute_role pulseaudio_roles;
 	')
 
-	typeattribute $1 pulseaudio_client;
-
+	pulseaudio_client_domain($1)
 	pulseaudio_domtrans($1)
 	roleattribute $2 pulseaudio_roles;
 ')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
index 4a0650df1..3ba4a896a 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -182,6 +182,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	pulseaudio_client_domain(mpd_t)
 	pulseaudio_domtrans(mpd_t)
 ')