devices, userdomain: dontaudit userdomain setattr on null device nodes

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/kernel/devices.if

@@ -3391,6 +3391,25 @@ interface(`dev_setattr_null_dev',`
 	setattr_chr_files_pattern($1, device_t, null_device_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_null_dev',`
+	gen_require(`
+		type null_device_t;
+	')
+
+	dontaudit $1 null_device_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Delete the null device (/dev/null).

policy/modules/system/userdomain.if

@@ -78,6 +78,7 @@ template(`userdom_base_user_template',`
 
 	dev_dontaudit_getattr_all_blk_files($1_t)
 	dev_dontaudit_getattr_all_chr_files($1_t)
+	dev_dontaudit_setattr_null_dev($1_t)
 
 	# for X session unlock
 	allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };