On 08/02/2014 05:57 AM, Robert Horovitz wrote:
> Why is libcap-ng not postponed until #1103622 is fixed? (which
> won't be tomorrow)
Over a month later sandboxes are still broken.
Will this be fixed sometime this year or is the SELinux sandbox feature
dead for real?
selinux mailing list
There is a change to the
kernel that is making its way upstream that
should allow us to fix the feature.
Basically right now, a file to libaudit forces us to turn off the
ability for the sandboxed apps to run setuid programs, this also causes
the kernel to prevent SELinux from execute/transition. We have a patch
to the kernel that will allow processes to execute/transition to a
different domain even if setuid is blocked, IFF the app is allowed to
Once this is enabled we can change the policy to allow transitioning to