[selinux-policy: 2421/3172] Mono patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:34:50 UTC 2010 

commit 1e0f483a180dab28d151f9fb2fff8d5de0de905a
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 19 10:42:43 2010 -0500

    Mono patch from Dan Walsh.

 policy/modules/apps/mono.fc |    2 +-
 policy/modules/apps/mono.if |  101 ++++++++++++++++++++++++++++++++++++++++++-
 policy/modules/apps/mono.te |   13 ++++--
 3 files changed, 110 insertions(+), 6 deletions(-)
---
diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc
index bc1c679..b01bc91 100644
--- a/policy/modules/apps/mono.fc
+++ b/policy/modules/apps/mono.fc
@@ -1 +1 @@
-/usr/bin/mono	--	gen_context(system_u:object_r:mono_exec_t,s0)
+/usr/bin/mono.*	--	gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 3e34268..7e83596 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -1,5 +1,61 @@
 ## <summary>Run .NET server and client applications on Linux.</summary>
 
+#######################################
+## <summary>
+##	The role template for the mono module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for mono applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`mono_role_template',`
+	gen_require(`
+		type mono_exec_t;
+	')
+
+	type $1_mono_t;
+	domain_type($1_mono_t)
+	domain_entry_file($1_mono_t, mono_exec_t)
+	role $2 types $1_mono_t;
+
+	domain_interactive_fd($1_mono_t)
+	application_type($1_mono_t)
+
+	userdom_manage_tmpfs_role($2, $1_mono_t)
+
+	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+	domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_mono_t)
+	corecmd_bin_domtrans($1_mono_t, $1_t)
+
+	optional_policy(`
+		xserver_role($1_r, $1_mono_t)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute the mono program in the mono domain.
@@ -21,6 +77,31 @@ interface(`mono_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute mono in the mono domain, and
+##	allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mono domain.
+##	</summary>
+## </param>
+#
+interface(`mono_run',`
+	gen_require(`
+		type mono_t;
+	')
+
+	mono_domtrans($1)
+	role $2 types mono_t;
+')
+
+########################################
+## <summary>
 ##	Execute the mono program in the caller domain.
 ## </summary>
 ## <param name="domain">
@@ -31,9 +112,27 @@ interface(`mono_domtrans',`
 #
 interface(`mono_exec',`
 	gen_require(`
-		type mono_t, mono_exec_t;
+		type mono_exec_t;
 	')
 
 	corecmd_search_bin($1)
 	can_exec($1, mono_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+	gen_require(`
+		type mono_t;
+	')
+
+	allow $1 mono_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 4a3d071..f458dd0 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono, 1.6.0)
+policy_module(mono, 1.6.1)
 
 ########################################
 #
@@ -8,6 +8,7 @@ policy_module(mono, 1.6.0)
 
 type mono_t;
 type mono_exec_t;
+application_type(mono_t)
 init_system_domain(mono_t, mono_exec_t)
 
 ########################################
@@ -15,11 +16,11 @@ init_system_domain(mono_t, mono_exec_t)
 # Local policy
 #
 
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
 
 init_dbus_chat_script(mono_t)
 
-userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	avahi_dbus_chat(mono_t)
@@ -42,7 +43,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain_noaudit(mono_t)
+	unconfined_domain(mono_t)
 	unconfined_dbus_chat(mono_t)
 	unconfined_dbus_connect(mono_t)
 ')
+
+optional_policy(`
+	xserver_rw_shm(mono_t)
+')

More information about the scm-commits mailing list