On 08/02/2014 05:57 AM, Robert Horovitz wrote: There is a change to the kernel that is making its way upstream that should allow us to fix the feature. Basically right now, a file to libaudit forces us to turn off the ability for the sandboxed apps to run setuid programs, this also causes the kernel to prevent SELinux from execute/transition. We have a patch to the kernel that will allow processes to execute/transition to a different domain even if setuid is blocked, IFF the app is allowed to transition internally. Once this is enabled we can change the policy to allow transitioning to work again.