From: dominick.grift@gmail.com (Dominick Grift)
Date: Fri, 19 Oct 2012 19:23:42 +0200
Subject: [refpolicy] [REVIEW REQUEST] Changes to the pulseaudio policy
	module and its dependencies
Message-ID: <1350667422-9219-1-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


I am currently trying to port the pulseaudio policy module with changes

I would like your opinion on patch below

Some explanation:

applications that run pulseadio for their audio have things in common:

they use shared memory
The need to be able to read and delete eachothers shared memory
they need to be able to signal signull eachother

They need to be able to restart pulseaudio if it crashes
They need to be able to connect to pulseaudio over the network if there is no local pulse running (conditional?)

They need various access to pulse audio home content
They need to be able to stream connect to pulseaudio

The need to be able to dbus chat to pulseaudio

Since pulseaudio as a system service uses the same domain they need to be a system bus client

If you think about it , this can get quite messy if we dont do it tidy

I decided to create two type attributes

the pulseaudio_client is a attribute that is assigned to anyone domain transitioning to pulseaudio_t

This is a prerequisite for pulse clients be cause they need to be able to restart pulse if it crashes

The pulseaudio client attribute is used to write policy efficient that is common to pulseaudio clients

P.S. pulseaudio_role() callers are also pulse_client, they just have a little extra permissions

The pulseaudio_tmpfs_file_type is assigned to all clients tmpfile file types separately with the pulseaudio_tmpfs_content() interface

pulseaudio_clients atomatically get the access they need to pulseaudio tmpfs content

read and delete the content

userdom user tmpfs content is not pulseaudio tmpfs content. Thus all pulseaudio_client also need access
to read and delete user tmpfs files. ( programs using pulseaudio might run in the user domain

I am probably overlooking things in this version of the patch

Please let me know what you think about this and give me suggestions

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

diff --git a/gpg.te b/gpg.te
index 80c8cb3..4545d3c 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.7.2)
+policy_module(gpg, 2.7.3)
 
 ########################################
 #
@@ -67,6 +67,7 @@
 
 type gpg_pinentry_tmpfs_t;
 userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
+pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
 
 ########################################
 #
@@ -275,14 +276,9 @@
 allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
 allow gpg_pinentry_t self:shm create_shm_perms;
 allow gpg_pinentry_t self:tcp_socket { accept listen };
-allow gpg_pinentry_t self:unix_dgram_socket sendto;
 
 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-
-manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
-manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
-fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
 
 can_exec(gpg_pinentry_t, pinentry_exec_t)
 
@@ -308,7 +304,6 @@
 files_read_usr_files(gpg_pinentry_t)
 
 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
-fs_getattr_tmpfs(gpg_pinentry_t)
 
 auth_use_nsswitch(gpg_pinentry_t)
 
@@ -317,16 +312,7 @@
 miscfiles_read_fonts(gpg_pinentry_t)
 miscfiles_read_localization(gpg_pinentry_t)
 
-userdom_read_user_home_content_files(gpg_pinentry_t)
 userdom_use_user_terminals(gpg_pinentry_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(gpg_pinentry_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(gpg_pinentry_t)
-')
 
 optional_policy(`
 	dbus_all_session_bus_client(gpg_pinentry_t)
@@ -334,11 +320,7 @@
 ')
 
 optional_policy(`
-	pulseaudio_exec(gpg_pinentry_t)
-	pulseaudio_rw_home_files(gpg_pinentry_t)
-	pulseaudio_setattr_home_dir(gpg_pinentry_t)
-	pulseaudio_stream_connect(gpg_pinentry_t)
-	pulseaudio_signull(gpg_pinentry_t)
+	pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
 ')
 
 optional_policy(`
diff --git a/mozilla.te b/mozilla.te
index edb579a..7d11298 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.7.0)
+policy_module(mozilla, 2.7.1)
 
 ########################################
 #
@@ -42,6 +42,7 @@
 
 type mozilla_plugin_tmpfs_t;
 userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
+pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
 
 type mozilla_plugin_rw_t;
 files_type(mozilla_plugin_rw_t)
@@ -58,6 +59,7 @@
 typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
 typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
 userdom_user_tmpfs_file(mozilla_tmpfs_t)
+pulseaudio_tmpfs_content(mozilla_tmpfs_t)
 
 ########################################
 #
@@ -273,7 +275,7 @@
 ')
 
 optional_policy(`
-	lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
+	lpd_run_lpr(mozilla_t, mozilla_roles)
 ')
 
 optional_policy(`
@@ -283,7 +285,7 @@
 ')
 
 optional_policy(`
-	pulseaudio_role(mozilla_roles, mozilla_t)
+	pulseaudio_run(mozilla_t, mozilla_roles)
 ')
 
 optional_policy(`
@@ -302,10 +304,8 @@
 allow mozilla_plugin_t self:sem create_sem_perms;
 allow mozilla_plugin_t self:shm create_shm_perms;
 allow mozilla_plugin_t self:tcp_socket { accept listen };
-allow mozilla_plugin_t self:unix_dgram_socket sendto;
 allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
 
-allow mozilla_plugin_t mozilla_t:process signull;
 allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
 allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
 allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
@@ -453,7 +453,6 @@
 term_getattr_all_ptys(mozilla_plugin_t)
 
 application_exec(mozilla_plugin_t)
-application_dontaudit_signull(mozilla_plugin_t)
 
 auth_use_nsswitch(mozilla_plugin_t)
 
@@ -553,7 +552,7 @@
 ')
 
 optional_policy(`
-	pulseaudio_role(mozilla_plugin_roles, mozilla_plugin_t)
+	pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
 ')
 
 optional_policy(`
diff --git a/mpd.te b/mpd.te
index 49dc4b3..ef7fde6 100644
--- a/mpd.te
+++ b/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.0.2)
+policy_module(mpd, 1.0.3)
 
 ########################################
 #
@@ -51,6 +51,7 @@
 
 type mpd_tmpfs_t;
 files_tmpfs_file(mpd_tmpfs_t)
+pulseaudio_tmpfs_content(mpd_tmpfs_t)
 
 type mpd_var_lib_t;
 files_type(mpd_var_lib_t)
@@ -67,7 +68,6 @@
 allow mpd_t self:process { getsched setsched setrlimit signal signull };
 allow mpd_t self:fifo_file rw_fifo_file_perms;
 allow mpd_t self:unix_stream_socket { accept connectto listen };
-allow mpd_t self:unix_dgram_socket sendto;
 allow mpd_t self:tcp_socket { accept listen };
 allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
 
@@ -89,7 +89,7 @@
 files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
 
 allow mpd_t mpd_tmpfs_t:file manage_file_perms;
-fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
+fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file)
 
 allow mpd_t mpd_user_data_t:dir list_dir_perms;
 allow mpd_t mpd_user_data_t:file read_file_perms;
@@ -129,10 +129,6 @@
 corenet_sendrecv_http_cache_client_packets(mpd_t)
 corenet_tcp_connect_http_cache_port(mpd_t)
 corenet_tcp_sendrecv_http_cache_port(mpd_t)
-
-corenet_sendrecv_pulseaudio_client_packets(mpd_t)
-corenet_tcp_connect_pulseaudio_port(mpd_t)
-corenet_tcp_sendrecv_pulseaudio_port(mpd_t)
 
 dev_read_sound(mpd_t)
 dev_write_sound(mpd_t)
@@ -194,17 +190,12 @@
 ')
 
 optional_policy(`
-	pulseaudio_exec(mpd_t)
-	pulseaudio_stream_connect(mpd_t)
-	pulseaudio_signull(mpd_t)
+	pulseaudio_domtrans(mpd_t)
+
 ')
 
 optional_policy(`
 	rpc_search_nfs_state_data(mpd_t)
-')
-
-optional_policy(`
-	rtkit_daemon_dbus_chat(mpd_t)
 ')
 
 optional_policy(`
diff --git a/mplayer.te b/mplayer.te
index 2e42824..a24fb6f 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -42,6 +42,7 @@
 typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
 typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
 userdom_user_tmpfs_file(mplayer_tmpfs_t)
+pulseaudio_tmpfs_content(mplayer_tmpfs_t)
 
 ########################################
 #
@@ -126,7 +127,6 @@
 allow mplayer_t self:process { signal_perms getsched };
 allow mplayer_t self:fifo_file rw_fifo_file_perms;
 allow mplayer_t self:sem create_sem_perms;
-allow mplayer_t self:unix_dgram_socket sendto;
 
 allow mplayer_t mplayer_etc_t:dir list_dir_perms;
 allow mplayer_t mplayer_etc_t:file read_file_perms;
@@ -153,10 +153,6 @@
 corenet_all_recvfrom_unlabeled(mplayer_t)
 corenet_tcp_sendrecv_generic_if(mplayer_t)
 corenet_tcp_sendrecv_generic_node(mplayer_t)
-
-corenet_sendrecv_pulseaudio_client_packets(mplayer_t)
-corenet_tcp_connect_pulseaudio_port(mplayer_t)
-corenet_tcp_sendrecv_pulseaudio_port(mplayer_t)
 
 corecmd_exec_bin(mplayer_t)
 corecmd_exec_shell(mplayer_t)
@@ -250,7 +246,5 @@
 ')
 
 optional_policy(`
-	pulseaudio_exec(mplayer_t)
-	pulseaudio_stream_connect(mplayer_t)
-	pulseaudio_signull(mplayer_t)
+	pulseaudio_run(mplayer_t, mplayer_roles)
 ')
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 783a98c..4311cef 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,7 +1,9 @@
-HOME_DIR/\.pulse-cookie	gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.esd_auth	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 
 /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 
 /var/lib/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+
 /var/run/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
index f40c64d..5bce16c 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Role access for pulseaudio
+##	Role access for pulseaudio.
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -17,26 +17,51 @@
 #
 interface(`pulseaudio_role',`
 	gen_require(`
-		type pulseaudio_t, pulseaudio_exec_t;
-		class dbus { acquire_svc send_msg };
+		attribute pulseaudio_tmpfs_file_type;
+		type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
+		type pulseaudio_tmp_t;
 	')
 
-	role $1 types pulseaudio_t;
+	pulseaudio_run($2, $1)
 
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
-
+	allow $2 pulseaudio_t:process { ptrace signal_perms };
 	ps_process_pattern($2, pulseaudio_t)
 
-	allow pulseaudio_t $2:process { signal signull };
-	allow $2 pulseaudio_t:process { signal signull sigkill };
-	ps_process_pattern(pulseaudio_t, $2)
+	allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
+	allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+	userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse")
+	userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth")
+	userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie")
+
+	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfs_file_type }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfs_file_type }:file { manage_file_perms relabel_file_perms };
+
+	allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
+	allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 	allow pulseaudio_t $2:unix_stream_socket connectto;
-	allow $2 pulseaudio_t:unix_stream_socket connectto;
+')
 
-	allow $2 pulseaudio_t:dbus send_msg;
-	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+########################################
+## <summary>
+##	Make the specified tmpfs file type
+##	pulseaudio tmpfs content.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	File type to make pulseaudio tmpfs content.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_tmpfs_content',`
+	gen_require(`
+		attribute pulseaudio_tmpfs_file_type;
+	')
+
+	typeattribute $1 pulseaudio_tmpfs_file_type;
 ')
 
 ########################################
@@ -51,16 +76,21 @@
 #
 interface(`pulseaudio_domtrans',`
 	gen_require(`
+		attribute pulseaudio_client;
 		type pulseaudio_t, pulseaudio_exec_t;
 	')
 
+	typeattribute $1 pulseaudio_client;
+
+	corecmd_search_bin($1)
 	domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute pulseaudio in the pulseaudio domain, and
-##	allow the specified role the pulseaudio domain.
+##	Execute pulseaudio in the
+##	pulseaudio domain, and allow the
+##	specified role the pulseaudio domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -75,16 +105,16 @@
 #
 interface(`pulseaudio_run',`
 	gen_require(`
-		type pulseaudio_t;
+		attribute_role pulseaudio_roles;
 	')
 
 	pulseaudio_domtrans($1)
-	role $2 types pulseaudio_t;
+	roleattribute $2 pulseaudio_roles;
 ')
 
 ########################################
 ## <summary>
-##	Execute a pulseaudio in the current domain.
+##	Execute pulseaudio in the caller domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -97,12 +127,13 @@
 		type pulseaudio_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	can_exec($1, pulseaudio_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit to execute a pulseaudio.
+##	Do not audit attempts to execute pulseaudio.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -120,7 +151,7 @@
 
 ########################################
 ## <summary>
-##	Send signull signal to pulseaudio
+##	Send null signals to pulseaudio.
 ##	processes.
 ## </summary>
 ## <param name="domain">
@@ -139,8 +170,8 @@
 
 #####################################
 ## <summary>
-##	Connect to pulseaudio over a unix domain
-##	stream socket.
+##	Connect to pulseaudio with a unix
+##	domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -150,13 +181,12 @@
 #
 interface(`pulseaudio_stream_connect',`
 	gen_require(`
-		type pulseaudio_t, pulseaudio_var_run_t;
+		type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
 	')
 
 	files_search_pids($1)
-	allow $1 pulseaudio_t:process signull;
-	allow pulseaudio_t $1:process signull;
-	stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+	userdom_list_user_tmp($1)
+	stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
 ')
 
 ########################################
@@ -182,9 +212,10 @@
 
 ########################################
 ## <summary>
-##	Set the attributes of the pulseaudio homedir.
+##	Set attributes of pulseaudio
+##	home directories.
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
@@ -195,34 +226,50 @@
 		type pulseaudio_home_t;
 	')
 
-	allow $1 pulseaudio_home_t:dir setattr;
+	allow $1 pulseaudio_home_t:dir setattr_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read pulseaudio homedir files.
+##	Read pulseaudio home files.
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`pulseaudio_read_home_files',`
+	refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
+	pulseaudio_read_home($1)
+')
+
+########################################
+## <summary>
+##	Read pulseaudio home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_read_home',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	allow $1 pulseaudio_home_t:dir list_dir_perms;
+	allow $1 pulseaudio_home_t:file read_file_perms;
+	allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write Pulse Audio files.
+##	Read and write pulseaudio home files.
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
@@ -234,27 +281,43 @@
 	')
 
 	rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete pulseaudio
-##	home directory files.
+##	Create, read, write, and delete
+##	pulseaudio home files.
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`pulseaudio_manage_home_files',`
+	refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
+	pulseaudio_manage_home($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	pulseaudio home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_manage_home',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	allow $1 pulseaudio_home_t:dir manage_dir_perms;
+	allow $1 pulseaudio_home_t:file manage_file_perms;
+	allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
 ')
diff --git a/pulseaudio.te b/pulseaudio.te
index b48444a..7f62ec6 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -1,47 +1,68 @@
-policy_module(pulseaudio, 1.5.1)
+policy_module(pulseaudio, 1.5.2)
 
 ########################################
 #
 # Declarations
 #
 
+attribute pulseaudio_client;
+attribute pulseaudio_tmpfs_file_type;
+
+attribute_role pulseaudio_roles;
+
 type pulseaudio_t;
 type pulseaudio_exec_t;
 init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
 userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role system_r types pulseaudio_t;
+role pulseaudio_roles types pulseaudio_t;
 
 type pulseaudio_home_t;
 userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmp_t;
+userdom_user_tmp_file(pulseaudio_tmp_t)
 
 type pulseaudio_tmpfs_t;
 userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
 
 type pulseaudio_var_lib_t;
 files_type(pulseaudio_var_lib_t)
-ubac_constrained(pulseaudio_var_lib_t)
 
 type pulseaudio_var_run_t;
 files_pid_file(pulseaudio_var_run_t)
-ubac_constrained(pulseaudio_var_run_t)
 
 ########################################
 #
-# pulseaudio local policy
+# Local policy
 #
 
 allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
 allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
-allow pulseaudio_t self:fifo_file rw_file_perms;
-allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
-allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
-allow pulseaudio_t self:udp_socket create_socket_perms;
+allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
+allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
+allow pulseaudio_t self:unix_dgram_socket sendto;
+allow pulseaudio_t self:tcp_socket { accept listen };
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
-manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-userdom_search_user_home_dirs(pulseaudio_t)
+allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
+allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
+allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -53,6 +74,9 @@
 manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
 
+allow pulseaudio_t pulseaudio_client:process signull;
+ps_process_pattern(pulseaudio_t, pulseaudio_client)
+
 can_exec(pulseaudio_t, pulseaudio_exec_t)
 
 kernel_getattr_proc(pulseaudio_t)
@@ -63,20 +87,32 @@
 
 corenet_all_recvfrom_unlabeled(pulseaudio_t)
 corenet_all_recvfrom_netlabel(pulseaudio_t)
-corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
-corenet_tcp_bind_soundd_port(pulseaudio_t)
 corenet_tcp_sendrecv_generic_if(pulseaudio_t)
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
-corenet_udp_bind_sap_port(pulseaudio_t)
 corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
 corenet_udp_sendrecv_generic_node(pulseaudio_t)
+corenet_tcp_sendrecv_all_ports(pulseaudio_t)
+corenet_udp_sendrecv_all_ports(pulseaudio_t)
+corenet_tcp_bind_generic_node(pulseaudio_t)
+corenet_udp_bind_generic_node(pulseaudio_t)
+
+corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
+
+corenet_sendrecv_soundd_server_packets(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
+
+corenet_sendrecv_sap_server_packets(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_sap_port(pulseaudio_t)
 
 dev_read_sound(pulseaudio_t)
 dev_write_sound(pulseaudio_t)
 dev_read_sysfs(pulseaudio_t)
 dev_read_urand(pulseaudio_t)
 
-files_read_etc_files(pulseaudio_t)
 files_read_usr_files(pulseaudio_t)
 
 fs_rw_anon_inodefs_files(pulseaudio_t)
@@ -92,10 +128,24 @@
 
 miscfiles_read_localization(pulseaudio_t)
 
-# cjp: this seems excessive. need to confirm
-userdom_manage_user_home_content_files(pulseaudio_t)
-userdom_manage_user_tmp_files(pulseaudio_t)
-userdom_manage_user_tmpfs_files(pulseaudio_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+userdom_write_user_tmp_sockets(pulseaudio_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(pulseaudio_t)
+	fs_manage_nfs_files(pulseaudio_t)
+	fs_manage_nfs_symlinks(pulseaudio_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(pulseaudio_t)
+	fs_manage_cifs_files(pulseaudio_t)
+	fs_manage_cifs_symlinks(pulseaudio_t)
+')
+
+optional_policy(`
+	alsa_read_rw_config(pulseaudio_t)
+')
 
 optional_policy(`
 	bluetooth_stream_connect(pulseaudio_t)
@@ -103,7 +153,6 @@
 
 optional_policy(`
 	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
-	dbus_system_bus_client(pulseaudio_t)
 	dbus_all_session_bus_client(pulseaudio_t)
 	dbus_connect_all_session_bus(pulseaudio_t)
 
@@ -146,3 +195,58 @@
 	xserver_read_xdm_pid(pulseaudio_t)
 	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
 ')
+
+########################################
+#
+# Client local policy
+#
+
+allow pulseaudio_client self:unix_dgram_socket sendto;
+
+allow pulseaudio_client pulseaudio_client:process signull;
+
+read_files_pattern(pulseaudio_client, { pulseaudio_tmpfs_file_type pulseaudio_tmpfs_t }, { pulseaudio_tmpfs_file_type pulseaudio_tmpfs_t })
+delete_files_pattern(pulseaudio_client, pulseaudio_tmpfs_file_type, pulseaudio_tmpfs_file_type)
+
+fs_getattr_tmpfs(pulseaudio_client)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_client)
+corenet_all_recvfrom_netlabel(pulseaudio_client)
+corenet_tcp_sendrecv_generic_if(pulseaudio_client)
+corenet_tcp_sendrecv_generic_node(pulseaudio_client)
+
+corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client)
+corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
+corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+
+pulseaudio_stream_connect(pulseaudio_client)
+pulseaudio_read_home(pulseaudio_client)
+pulseaudio_rw_home_files(pulseaudio_client)
+pulseaudio_setattr_home_dir(pulseaudio_client)
+pulseaudio_signull(pulseaudio_client)
+
+rtkit_scheduled(pulseaudio_client)
+
+# TODO: ~/.cache
+userdom_manage_user_home_content_files(pulseaudio_client)
+
+userdom_read_user_tmpfs_files(pulseaudio_client)
+# userdom_delete_user_tmpfs_files(pulseaudio_client)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_getattr_nfs(pulseaudio_client)
+	fs_manage_nfs_dirs(pulseaudio_client)
+	fs_manage_nfs_files(pulseaudio_client)
+	fs_read_nfs_symlinks(pulseaudio_client)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_getattr_cifs(pulseaudio_client)
+	fs_manage_cifs_dirs(pulseaudio_client)
+	fs_manage_cifs_files(pulseaudio_client)
+	fs_read_cifs_symlinks(pulseaudio_client)
+')
+
+optional_policy(`
+	pulseaudio_dbus_chat(pulseaudio_client)
+')
diff --git a/qemu.te b/qemu.te
index d1db264..94af893 100644
--- a/qemu.te
+++ b/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.7.1)
+policy_module(qemu, 1.7.2)
 
 ########################################
 #
@@ -96,7 +96,7 @@
 ')
 
 optional_policy(`
-	pulseaudio_manage_home_files(qemu_t)
+	pulseaudio_manage_home(qemu_t)
 	pulseaudio_stream_connect(qemu_t)
 ')