Mono patch from Dan Walsh.

policy/modules/apps/mono.fc

@@ -1 +1 @@
-/usr/bin/mono	--	gen_context(system_u:object_r:mono_exec_t,s0)
+/usr/bin/mono.*	--	gen_context(system_u:object_r:mono_exec_t,s0)

policy/modules/apps/mono.if

@@ -1,5 +1,61 @@
 ## <summary>Run .NET server and client applications on Linux.</summary>
 
+#######################################
+## <summary>
+##	The role template for the mono module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for mono applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`mono_role_template',`
+	gen_require(`
+		type mono_exec_t;
+	')
+
+	type $1_mono_t;
+	domain_type($1_mono_t)
+	domain_entry_file($1_mono_t, mono_exec_t)
+	role $2 types $1_mono_t;
+
+	domain_interactive_fd($1_mono_t)
+	application_type($1_mono_t)
+
+	userdom_manage_tmpfs_role($2, $1_mono_t)
+
+	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+	domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_mono_t)
+	corecmd_bin_domtrans($1_mono_t, $1_t)
+
+	optional_policy(`
+		xserver_role($1_r, $1_mono_t)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute the mono program in the mono domain.
@@ -19,6 +75,31 @@ interface(`mono_domtrans',`
 	domtrans_pattern($1, mono_exec_t, mono_t)
 ')
 
+########################################
+## <summary>
+##	Execute mono in the mono domain, and
+##	allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mono domain.
+##	</summary>
+## </param>
+#
+interface(`mono_run',`
+	gen_require(`
+		type mono_t;
+	')
+
+	mono_domtrans($1)
+	role $2 types mono_t;
+')
+
 ########################################
 ## <summary>
 ##	Execute the mono program in the caller domain.
@@ -31,9 +112,27 @@ interface(`mono_domtrans',`
 #
 interface(`mono_exec',`
 	gen_require(`
-		type mono_t, mono_exec_t;
+		type mono_exec_t;
 	')
 
 	corecmd_search_bin($1)
 	can_exec($1, mono_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+	gen_require(`
+		type mono_t;
+	')
+
+	allow $1 mono_t:shm rw_shm_perms;
+')

policy/modules/apps/mono.te

@@ -1,5 +1,5 @@
 
-policy_module(mono, 1.6.0)
+policy_module(mono, 1.6.1)
 
 ########################################
 #
@@ -8,6 +8,7 @@ policy_module(mono, 1.6.0)
 
 type mono_t;
 type mono_exec_t;
+application_type(mono_t)
 init_system_domain(mono_t, mono_exec_t)
 
 ########################################
@@ -15,11 +16,11 @@ init_system_domain(mono_t, mono_exec_t)
 # Local policy
 #
 
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
 
 init_dbus_chat_script(mono_t)
 
-userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	avahi_dbus_chat(mono_t)
@@ -42,7 +43,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain_noaudit(mono_t)
+	unconfined_domain(mono_t)
 	unconfined_dbus_chat(mono_t)
 	unconfined_dbus_connect(mono_t)
 ')
+
+optional_policy(`
+	xserver_rw_shm(mono_t)
+')