Dont audit writes to leaked file descriptors or redirected output for nacl

diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
index 4a71739d07222201237358f291cd0b85c244c502..aff461c97aff326e5efac82f3e3e62f0f377d0ba 100644 (file)
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@@ -177,3 +177,8 @@ userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
 userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
 userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
 userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+
+optional_policy(`
+       gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
+

diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index c57fc1e387bec8c178a358db79fe61662e6289cc..45580b57ef068c47a98830f5dc31c1fe4f1de3c0 100644 (file)
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -228,6 +228,24 @@ interface(`gnome_dontaudit_search_config',`
        dontaudit $1 gnome_home_type:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Dontaudit write gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`gnome_dontaudit_write_config_files',`
+       gen_require(`
+               attribute gnome_home_type;
+       ')
+
+       dontaudit $1 gnome_home_type:file write;
+')
+
 ########################################
 ## <summary>
 ##     manage gnome homedir content (.config)