@@ -, +, @@ 
- allow per-user pulseaudio daemon
- allow thunderbird to start pulseaudio daemon
- fix .pulse link access
- allow dbus machine-id link read
---
 policy/modules/contrib/pulseaudio.fc |  2 ++
 policy/modules/contrib/pulseaudio.te | 44 ++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
--- a/policy/modules/contrib/pulseaudio.fc	
+++ a/policy/modules/contrib/pulseaudio.fc	
@@ -7,3 +7,5 @@ HOME_DIR/\.pulse-cookie	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 /var/lib/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 
 /var/run/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
+/dev/shm/pulse-shm-[0-9]+       --      gen_context(system_u:object_r:pulseaudio_tmpfs_t)
--- a/policy/modules/contrib/pulseaudio.te	
+++ a/policy/modules/contrib/pulseaudio.te	
@@ -31,6 +31,11 @@ files_type(pulseaudio_var_lib_t)
 type pulseaudio_var_run_t;
 files_pid_file(pulseaudio_var_run_t)
 
+require {
+    type staff_t;
+    type user_t;
+}
+
 ########################################
 #
 # Local policy
@@ -129,6 +134,34 @@ miscfiles_read_localization(pulseaudio_t)
 userdom_search_user_home_dirs(pulseaudio_t)
 userdom_write_user_tmp_sockets(pulseaudio_t)
 
+#allow /home/user/.pulse/b635dc821cabdd2d355ea70900010017-runtime link access
+read_lnk_files_pattern(pulseaudio_t,pulseaudio_home_t,pulseaudio_home_t)
+
+#Allow for per-user pulseaudio daemons:
+#Access to the daemon:
+pulseaudio_domtrans(staff_t);
+pulseaudio_signull(staff_t);
+pulseaudio_stream_connect(staff_t);
+
+pulseaudio_domtrans(user_t);
+pulseaudio_signull(user_t);
+pulseaudio_stream_connect(user_t);
+
+#User should be able to manage its daemon:
+#user_t
+manage_files_pattern(user_t,pulseaudio_home_t,pulseaudio_home_t);
+read_lnk_files_pattern(user_t,pulseaudio_home_t,pulseaudio_home_t);
+setattr_dirs_pattern(user_t,pulseaudio_home_t,pulseaudio_home_t);
+
+#staff_t
+manage_files_pattern(staff_t,pulseaudio_home_t,pulseaudio_home_t);
+read_lnk_files_pattern(staff_t,pulseaudio_home_t,pulseaudio_home_t);
+setattr_dirs_pattern(staff_t,pulseaudio_home_t,pulseaudio_home_t);
+
+#Socket write access for the clients:
+write_sock_files_pattern(staff_t,pulseaudio_tmpfs_t,pulseaudio_tmpfs_t)
+write_sock_files_pattern(user_t,pulseaudio_tmpfs_t,pulseaudio_tmpfs_t)
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(pulseaudio_t)
 	fs_manage_nfs_files(pulseaudio_t)
@@ -149,7 +182,18 @@ optional_policy(`
 	bluetooth_stream_connect(pulseaudio_t)
 ')
 
+#Allow thunderbird to start the daemon:
+optional_policy(`
+    require {
+        type thunderbird_t;
+    }
+    pulseaudio_domtrans(thunderbird_t);
+    pulseaudio_signull(thunderbird_t);
+    pulseaudio_stream_connect(thunderbird_t);
+')
+
 optional_policy(`
+    dbus_read_lib_files(pulseaudio_t)
 	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
 	dbus_all_session_bus_client(pulseaudio_t)
 	dbus_connect_all_session_bus(pulseaudio_t)
--