Confining a Mono Application Using SELinux

Daniel J Walsh dwalsh at
Mon Apr 17 11:21:07 UTC 2006

Benjy Grogan wrote:
> Hello
> I'm trying to take a mono app from Extras and confine it using
> SELinux.  At the moment it runs in the security context
> user_u:system_r:mono_t.  I would like to create my own security
> context and run the mono app in that one.
> I've followed all the instructions at
> <> on 'How can I help
> write policy?' but it's useless if I don't have a domain for my
> application.
> I have read that you need to install the security contexts (as an rpm)
> before installing the rpm of the mono application.  So I'm assuming
> that work has to be done to create a domain for the mono application,
> and then the mono application has to be forced to install in this
> domain.
You do this by create a file_type domain like myapp_exec_t and then 
assiging that context to the executable.

Try using /usr/share/selinux/devel/policygentool  to get started.

/usr/share/selinux/devel/policygentool myapp pathtomyapp

and then answer a few questions.  It will help you on your way to 
writing a policy module.

> I'm not sure what makes an application run in the mono_t security
> context to begin with, and how would I go about changing that?
The mono executable is labeled mono_exec_t.  So all mono apps will get 
that context.  mono_t is the same as
uncofined_t except it does not complain about execstack and execmem.

> Benjy
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at

More information about the fedora-selinux-list mailing list