SELinux
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 21 12:41:25 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/20/2011 05:12 PM, Jorge Fábregas wrote:
> On 01/20/2011 05:23 PM, Daniel J Walsh wrote:
>> yum install policycoreutils-sandbox
>
> Shouldn't this package be a dependency of the package
> policycoreutils-python (owner of sandbox)?
>
> --
> Jorge
There are two types of sandboxes. You can run the sandbox command
without the -X and it runs in "script mode". In this mode it allows the
application executed within the sandbox to read/write all file
descriptors passed in, but is not allowed to open any content.
cat untrusted.doc | sandbox filter.sh > /tmp/trusted.doc
For example would only allow filter.sh to read untrusted.doc, and write
trusted.doc. If filter.sh attempted to write to ~/.ssh/secrets SELinux
would block the access. If it attempted to write anywhere or to open
any files other then system files it would be blocked.
sandbox -X
on the other hand, attempts to create a desktop sandbox, and requires X
and lots of other functionality. So we ship the python script sandbox
in policycoreutils-python, so it can be used on server only
environments, while if you want to run sandbox -X you need to install
policycoreutils-sandbox which will require X.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk05fvUACgkQrlYvE4MpobM41QCgrga1O0pNSGNDxkE4pe0Niec7
b8YAn0X0NLa9icF/Ee6r2681ToGFSayQ
=x3Wx
-----END PGP SIGNATURE-----
More information about the users
mailing list