[selinux-policy: 2421/3172] Mono patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:34:50 UTC 2010
commit 1e0f483a180dab28d151f9fb2fff8d5de0de905a
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 19 10:42:43 2010 -0500
Mono patch from Dan Walsh.
policy/modules/apps/mono.fc | 2 +-
policy/modules/apps/mono.if | 101 ++++++++++++++++++++++++++++++++++++++++++-
policy/modules/apps/mono.te | 13 ++++--
3 files changed, 110 insertions(+), 6 deletions(-)
---
diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc
index bc1c679..b01bc91 100644
--- a/policy/modules/apps/mono.fc
+++ b/policy/modules/apps/mono.fc
@@ -1 +1 @@
-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 3e34268..7e83596 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -1,5 +1,61 @@
## <summary>Run .NET server and client applications on Linux.</summary>
+#######################################
+## <summary>
+## The role template for the mono module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mono applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`mono_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t, mono_exec_t)
+ role $2 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+ application_type($1_mono_t)
+
+ userdom_manage_tmpfs_role($2, $1_mono_t)
+
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+
+ optional_policy(`
+ xserver_role($1_r, $1_mono_t)
+ ')
+')
+
########################################
## <summary>
## Execute the mono program in the mono domain.
@@ -21,6 +77,31 @@ interface(`mono_domtrans',`
########################################
## <summary>
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mono domain.
+## </summary>
+## </param>
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+')
+
+########################################
+## <summary>
## Execute the mono program in the caller domain.
## </summary>
## <param name="domain">
@@ -31,9 +112,27 @@ interface(`mono_domtrans',`
#
interface(`mono_exec',`
gen_require(`
- type mono_t, mono_exec_t;
+ type mono_exec_t;
')
corecmd_search_bin($1)
can_exec($1, mono_exec_t)
')
+
+########################################
+## <summary>
+## Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 4a3d071..f458dd0 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
-policy_module(mono, 1.6.0)
+policy_module(mono, 1.6.1)
########################################
#
@@ -8,6 +8,7 @@ policy_module(mono, 1.6.0)
type mono_t;
type mono_exec_t;
+application_type(mono_t)
init_system_domain(mono_t, mono_exec_t)
########################################
@@ -15,11 +16,11 @@ init_system_domain(mono_t, mono_exec_t)
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
init_dbus_chat_script(mono_t)
-userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
avahi_dbus_chat(mono_t)
@@ -42,7 +43,11 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain_noaudit(mono_t)
+ unconfined_domain(mono_t)
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
')
+
+optional_policy(`
+ xserver_rw_shm(mono_t)
+')
More information about the scm-commits
mailing list