1SANDBOX(8) User Commands SANDBOX(8)
2
6 sandbox - Run cmd under an SELinux sandbox
7
9 sandbox [-C] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ]
10 [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file
11 ]...] [ -t type ] cmd
12 sandbox [-C] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ]
14 [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file
15 ]...] [ -t type ] -S
16
18 Run the cmd application within a tightly confined SELinux domain. The
19 default sandbox domain only allows applications the ability to read and
20 write stdin, stdout and any other file descriptors handed to it. It is
21 not allowed to open any other files. The -M option will mount an
22 alternate homedir and tmpdir to be used by the sandbox.
23 If you have the policycoreutils-sandbox package installed, you can use
25 the -X option and the -M option. sandbox -X allows you to run X appli‐
26 cations within a sandbox. These applications will start up their own X
27 Server and create a temporary home directory and /tmp. The default
28 SELinux policy does not allow any capabilities or network access. It
29 also prevents all access to the users other processes and files. Files
30 specified on the command that are in the home directory or /tmp will be
31 copied into the sandbox directories.
32 If directories are specified with -H or -T the directory will have its
34 context modified with chcon(1) unless a level is specified with -l. If
35 the MLS/MCS security level is specified, the user is responsible to set
36 the correct labels.
37 -H --homedir
39 Use alternate homedir to mount over your home directory.
40 Defaults to temporary. Requires -X or -M.
41 -i, --include
43 Copy this file into the appropriate temporary sandbox directory.
44 Command can be repeated.
45 -I, --includefile
47 Copy all files listed in inputfile into the appropriate tempo‐
48 rary sandbox directories.
49 -l, --level
51 Specify the MLS/MCS Security Level to run the sandbox with.
52 Defaults to random.
53 -M, --mount
55 Create a Sandbox with temporary files for $HOME and /tmp.
56 -t, --type
58 Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t
59 for -X.
60 -T, --tmpdir
62 Use alternate tempory directory to mount on /tmp. Defaults to
63 tmpfs. Requires -X or -M.
64 -S, --session
66 Run a full desktop session, Requires level, and home and tmpdir.
67 -w, --windowsize
69 Specifies the windowsize when creating an X based Sandbox. The
70 default windowsize is 1000x700.
71 -W, --windowmanager
73 Select alternative window manager to run within sandbox -X.
74 Default to /usr/bin/matchbox-window-manager.
75 -X Create an X based Sandbox for gui apps, temporary files for
77 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
78 -d, --dpi
80 Set the DPI value for the sanbox X Server. Defaults to the cur‐
81 rent X Sever DPI.
82 -C, --capabilities
84 Use capabilities within the sandbox. By default applications
85 executed within the sandbox will not be allowed to use capabili‐
86 ties (setuid apps), with the -C flag, programs can gain capabil‐
87 ities attached to executable files.
88
90 runcon(1), seunshare(8), selinux(8)
91
93 This manual page was written by Dan Walsh <dwalsh@redhat.com> and
94 Thomas Liu <tliu@fedoraproject.org>
95sandbox May 2010 SANDBOX(8)