diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc index bc1c679c..b01bc913 100644 --- a/policy/modules/apps/mono.fc +++ b/policy/modules/apps/mono.fc @@ -1 +1 @@ -/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0) +/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if index 3e342680..7e835967 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if @@ -1,5 +1,61 @@ ## Run .NET server and client applications on Linux. +####################################### +## +## The role template for the mono module. +## +## +##

+## This template creates a derived domains which are used +## for mono applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`mono_role_template',` + gen_require(` + type mono_exec_t; + ') + + type $1_mono_t; + domain_type($1_mono_t) + domain_entry_file($1_mono_t, mono_exec_t) + role $2 types $1_mono_t; + + domain_interactive_fd($1_mono_t) + application_type($1_mono_t) + + userdom_manage_tmpfs_role($2, $1_mono_t) + + allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; + + allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($3, mono_exec_t, $1_mono_t) + + fs_dontaudit_rw_tmpfs_files($1_mono_t) + corecmd_bin_domtrans($1_mono_t, $1_t) + + optional_policy(` + xserver_role($1_r, $1_mono_t) + ') +') + ######################################## ## ## Execute the mono program in the mono domain. @@ -19,6 +75,31 @@ interface(`mono_domtrans',` domtrans_pattern($1, mono_exec_t, mono_t) ') +######################################## +## +## Execute mono in the mono domain, and +## allow the specified role the mono domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the mono domain. +## +## +# +interface(`mono_run',` + gen_require(` + type mono_t; + ') + + mono_domtrans($1) + role $2 types mono_t; +') + ######################################## ## ## Execute the mono program in the caller domain. @@ -31,9 +112,27 @@ interface(`mono_domtrans',` # interface(`mono_exec',` gen_require(` - type mono_t, mono_exec_t; + type mono_exec_t; ') corecmd_search_bin($1) can_exec($1, mono_exec_t) ') + +######################################## +## +## Read and write to mono shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`mono_rw_shm',` + gen_require(` + type mono_t; + ') + + allow $1 mono_t:shm rw_shm_perms; +') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te index 4a3d0716..f458dd07 100644 --- a/policy/modules/apps/mono.te +++ b/policy/modules/apps/mono.te @@ -1,5 +1,5 @@ -policy_module(mono, 1.6.0) +policy_module(mono, 1.6.1) ######################################## # @@ -8,6 +8,7 @@ policy_module(mono, 1.6.0) type mono_t; type mono_exec_t; +application_type(mono_t) init_system_domain(mono_t, mono_exec_t) ######################################## @@ -15,11 +16,11 @@ init_system_domain(mono_t, mono_exec_t) # Local policy # -allow mono_t self:process { execheap execmem }; +allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; init_dbus_chat_script(mono_t) -userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) +userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` avahi_dbus_chat(mono_t) @@ -42,7 +43,11 @@ optional_policy(` ') optional_policy(` - unconfined_domain_noaudit(mono_t) + unconfined_domain(mono_t) unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) ') + +optional_policy(` + xserver_rw_shm(mono_t) +')