diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc
index bc1c679cc..b01bc9131 100644
--- a/policy/modules/apps/mono.fc
+++ b/policy/modules/apps/mono.fc
@@ -1 +1 @@
-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 3e3426807..7e835967c 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -1,5 +1,61 @@
## Run .NET server and client applications on Linux.
+#######################################
+##
+## The role template for the mono module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for mono applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`mono_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t, mono_exec_t)
+ role $2 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+ application_type($1_mono_t)
+
+ userdom_manage_tmpfs_role($2, $1_mono_t)
+
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+
+ optional_policy(`
+ xserver_role($1_r, $1_mono_t)
+ ')
+')
+
########################################
##
## Execute the mono program in the mono domain.
@@ -19,6 +75,31 @@ interface(`mono_domtrans',`
domtrans_pattern($1, mono_exec_t, mono_t)
')
+########################################
+##
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the mono domain.
+##
+##
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+')
+
########################################
##
## Execute the mono program in the caller domain.
@@ -31,9 +112,27 @@ interface(`mono_domtrans',`
#
interface(`mono_exec',`
gen_require(`
- type mono_t, mono_exec_t;
+ type mono_exec_t;
')
corecmd_search_bin($1)
can_exec($1, mono_exec_t)
')
+
+########################################
+##
+## Read and write to mono shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 4a3d0716d..f458dd077 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
-policy_module(mono, 1.6.0)
+policy_module(mono, 1.6.1)
########################################
#
@@ -8,6 +8,7 @@ policy_module(mono, 1.6.0)
type mono_t;
type mono_exec_t;
+application_type(mono_t)
init_system_domain(mono_t, mono_exec_t)
########################################
@@ -15,11 +16,11 @@ init_system_domain(mono_t, mono_exec_t)
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
init_dbus_chat_script(mono_t)
-userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
avahi_dbus_chat(mono_t)
@@ -42,7 +43,11 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain_noaudit(mono_t)
+ unconfined_domain(mono_t)
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
')
+
+optional_policy(`
+ xserver_rw_shm(mono_t)
+')