On 08/02/2014 05:57 AM, Robert Horovitz wrote:
> Why is libcap-ng not postponed until #1103622 is fixed? (which
probably
> won't be tomorrow)
>
>
>
https://bugzilla.redhat.com/show_bug.cgi?id=1103622
Over a month later sandboxes are still broken.
Will this be fixed sometime this year or is the SELinux sandbox feature
dead for real?
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux There is a change to the
kernel that is making its way upstream that
should allow us to fix the feature.
Basically right now, a file to libaudit forces us to turn off the
ability for the sandboxed apps to run setuid programs, this also causes
the kernel to prevent SELinux from execute/transition. We have a patch
to the kernel that will allow processes to execute/transition to a
different domain even if setuid is blocked, IFF the app is allowed to
transition internally.
Once this is enabled we can change the policy to allow transitioning to
work again.