--- nsaserefpolicy/policy/modules/apps/mono.if	2008-08-07 11:15:02.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/apps/mono.if	2008-08-14 13:53:54.000000000 -0400
@@ -21,7 +21,106 @@
 
 ########################################
 ## <summary>
-##	Execute the mono program in the caller domain.
+##	Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+	gen_require(`
+		type mono_t;
+	')
+
+	allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Execute mono in the mono domain, and
+##	allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mono domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the mono domain to use.
+##	</summary>
+## </param>
+#
+interface(`mono_run',`
+	gen_require(`
+		type mono_t;
+	')
+
+	mono_domtrans($1)
+	role $2 types mono_t;
+	allow mono_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##	The per role template for the mono module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for mono applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`mono_per_role_template',`
+	gen_require(`
+		type mono_exec_t;
+	')
+
+	type $1_mono_t;
+	domain_type($1_mono_t)
+	domain_entry_file($1_mono_t, mono_exec_t)
+	role $3 types $1_mono_t;
+
+	domain_interactive_fd($1_mono_t)
+
+	userdom_unpriv_usertype($1, $1_mono_t)
+
+	allow $1_mono_t self:process { ptrace signal getsched execheap execmem };
+	allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+	domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_mono_t)
+	corecmd_bin_domtrans($1_mono_t, $1_t)
+')
+
+########################################
+## <summary>
+##	Execute the mono program in the mono domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,7 +130,7 @@
 #
 interface(`mono_exec',`
 	gen_require(`
-		type mono_t, mono_exec_t;
+		type mono_exec_t;
 	')
 
 	corecmd_search_bin($1)
--- nsaserefpolicy/policy/modules/apps/mono.te	2008-08-07 11:15:02.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/apps/mono.te	2008-08-14 13:53:54.000000000 -0400
@@ -15,7 +15,7 @@
 # Local policy
 #
 
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem };
 
 unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
 
@@ -46,3 +46,7 @@
 	unconfined_dbus_chat(mono_t)
 	unconfined_dbus_connect(mono_t)
 ')
+
+optional_policy(`
+	xserver_xdm_rw_shm(mono_t)
+')