mpd, pulseaudio: split domtrans and client access

Split `pulseaudio_domtrans()` into two interfaces: one that grants
transition access and the other the `pulseaudio_client` attribute. This
fixes a build error because calls to `pulseaudio_domtrans()` by the role
would associate the client attribute with the user exec domain
attribute.

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/apps/pulseaudio.if

@@ -59,6 +59,25 @@ template(`pulseaudio_role',`
 	')
 ')
 
+########################################
+## <summary>
+##	Connect to pulseaudio and manage
+##	pulseaudio config data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_client_domain',`
+	gen_require(`
+		attribute pulseaudio_client;
+	')
+
+	typeattribute $1 pulseaudio_client;
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to run pulseaudio.
@@ -71,12 +90,9 @@ template(`pulseaudio_role',`
 #
 interface(`pulseaudio_domtrans',`
 	gen_require(`
-		attribute pulseaudio_client;
 		type pulseaudio_t, pulseaudio_exec_t;
 	')
 
-	typeattribute $1 pulseaudio_client;
-
 	corecmd_search_bin($1)
 	domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
 ')
@@ -100,12 +116,10 @@ interface(`pulseaudio_domtrans',`
 #
 interface(`pulseaudio_run',`
 	gen_require(`
-		attribute pulseaudio_client;
 		attribute_role pulseaudio_roles;
 	')
 
-	typeattribute $1 pulseaudio_client;
+	pulseaudio_client_domain($1)
-
 	pulseaudio_domtrans($1)
 	roleattribute $2 pulseaudio_roles;
 ')

policy/modules/services/mpd.te

@@ -182,6 +182,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	pulseaudio_client_domain(mpd_t)
 	pulseaudio_domtrans(mpd_t)
 ')