Benjy Grogan wrote:
I'm trying to take a mono app from Extras and confine it using
SELinux. At the moment it runs in the security context
user_u:system_r:mono_t. I would like to create my own security
context and run the mono app in that one.
I've followed all the instructions at
on 'How can I help
write policy?' but it's useless if I don't have a domain for my
I have read that you need to install the security contexts (as an rpm)
before installing the rpm of the mono application. So I'm assuming
that work has to be done to create a domain for the mono application,
and then the mono application has to be forced to install in this
You do this by create a file_type domain like myapp_exec_t and then
assiging that context to the executable.
Try using /usr/share/selinux/devel/policygentool to get started.
/usr/share/selinux/devel/policygentool myapp pathtomyapp
and then answer a few questions. It will help you on your way to
writing a policy module.
I'm not sure what makes an application run in the mono_t
context to begin with, and how would I go about changing that?
The mono executable is labeled mono_exec_t. So all mono apps will get
that context. mono_t is the same as
uncofined_t except it does not complain about execstack and execmem.
fedora-selinux-list mailing list