From e67089687b8476da5fdf1585468769340d5dbbbc Mon Sep 17 00:00:00 2001
From: secureworkstation <60398077+secureworkstation@users.noreply.github.com>
Date: Mon, 3 Feb 2020 06:07:31 +0100
Subject: [PATCH 1/3] Label /run/user/.../pulse/ as pulseaudio_home_t

---
 pulseaudio.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pulseaudio.fc b/pulseaudio.fc
index 0e7d875135..838f7dbd75 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -12,3 +12,4 @@ HOME_DIR/\.config/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_home_t,s0
 
 /var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 /var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/run/user/([^/]*)/pulse(/.*)?      gen_context(system_u:object_r:pulseaudio_home_t,s0)

From a61df1fa4d3e86b9348dd88ef2470330be9c131f Mon Sep 17 00:00:00 2001
From: secureworkstation <60398077+secureworkstation@users.noreply.github.com>
Date: Mon, 3 Feb 2020 06:12:47 +0100
Subject: [PATCH 2/3] Allow pulseaudio to transition /run/user/.../pulse/ to a
 correct label

Mostly, session systemd (running in user context) would create this directory.
---
 pulseaudio.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pulseaudio.te b/pulseaudio.te
index 1b64534229..566cf6d9ed 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -47,6 +47,7 @@ manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
 manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
 userdom_search_user_home_dirs(pulseaudio_t)
 pulseaudio_filetrans_home_content(pulseaudio_t)
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_home_t, dir, "pulse") # /run/user/.../pulse
 allow pulseaudio_t pulseaudio_home_t:file map;
 
 # ~/.esd_auth - maybe we should label this pulseaudio_home_t?

From 98e2369e1e7226a7066cc495385663e5f7f5c1c3 Mon Sep 17 00:00:00 2001
From: secureworkstation <60398077+secureworkstation@users.noreply.github.com>
Date: Mon, 3 Feb 2020 06:25:42 +0100
Subject: [PATCH 3/3] Modify pulseaudio.if to support /run/user/.../pulse/
 labeling

Most importantly, allow filetrans of pulse/ to session systemd process. Add interfaces so that systemd-logind will be able to remove this directory.
---
 pulseaudio.if | 47 ++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 44 insertions(+), 3 deletions(-)

diff --git a/pulseaudio.if b/pulseaudio.if
index 1e2fb9a0b3..42f28dd1da 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -18,7 +18,7 @@
 interface(`pulseaudio_role',`
 	gen_require(`
         attribute pulseaudio_tmpfsfile;
-		type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
+		type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t, pulseaudio_home_t;
 		class dbus { acquire_svc send_msg };
 	')
 
@@ -36,13 +36,17 @@ interface(`pulseaudio_role',`
 	allow pulseaudio_t $2:unix_stream_socket connectto;
 	allow $2 pulseaudio_t:unix_stream_socket connectto;
 
-	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
+	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile pulseaudio_home_t }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile pulseaudio_home_t }:file { manage_file_perms relabel_file_perms };
 
 	userdom_manage_tmp_role($1, pulseaudio_t)
 
 	allow $2 pulseaudio_t:dbus send_msg;
 	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+	
+	# session systemd
+        userdom_user_tmp_filetrans($2, pulseaudio_home_t, dir, "pulse")
+        allow $2 pulseaudio_home_t:sock_file { create unlink };
 ')
 
 ########################################
@@ -293,6 +297,43 @@ interface(`pulseaudio_manage_home_files',`
 	pulseaudio_filetrans_home_content($1)
 ')
 
+########################################
+## <summary>
+##      Manage pulseaudio session tmp dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pulseaudio_manage_session_tmp_dirs',`
+        gen_require(`
+                type pulseaudio_home_t;
+        ')
+
+        manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+##      Manage pulseaudio session tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pulseaudio_manage_session_tmp_files',`
+        gen_require(`
+                type pulseaudio_home_t;
+        ')
+
+        manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+        allow $1 pulseaudio_home_t:sock_file { create unlink };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete pulseaudio