Confining a Mono Application Using SELinux
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 17 11:21:07 UTC 2006
Benjy Grogan wrote:
> Hello
>
> I'm trying to take a mono app from Extras and confine it using
> SELinux. At the moment it runs in the security context
> user_u:system_r:mono_t. I would like to create my own security
> context and run the mono app in that one.
>
> I've followed all the instructions at
> <http://fedora.redhat.com/docs/selinux-faq-fc5/> on 'How can I help
> write policy?' but it's useless if I don't have a domain for my
> application.
>
> I have read that you need to install the security contexts (as an rpm)
> before installing the rpm of the mono application. So I'm assuming
> that work has to be done to create a domain for the mono application,
> and then the mono application has to be forced to install in this
> domain.
>
You do this by create a file_type domain like myapp_exec_t and then
assiging that context to the executable.
Try using /usr/share/selinux/devel/policygentool to get started.
/usr/share/selinux/devel/policygentool myapp pathtomyapp
and then answer a few questions. It will help you on your way to
writing a policy module.
Dan
> I'm not sure what makes an application run in the mono_t security
> context to begin with, and how would I go about changing that?
>
>
The mono executable is labeled mono_exec_t. So all mono apps will get
that context. mono_t is the same as
uncofined_t except it does not complain about execstack and execmem.
> Benjy
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list