1SANDBOX(8) User Commands SANDBOX(8)
2
6 sandbox - Run cmd under an SELinux sandbox
7
9 sandbox [-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I
10 includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [
11 -t type ] cmd
12 sandbox [-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I
14 includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [
15 -t type ] -S
16
18 Run the cmd application within a tightly confined SELinux domain. The
19 default sandbox domain only allows applications the ability to read and
20 write stdin, stdout and any other file descriptors handed to it. It is
21 not allowed to open any other files. The -M option will mount an
22 alternate homedir and tmpdir to be used by the sandbox.
23 If you have the policycoreutils-sandbox package installed, you can use
25 the -X option and the -M option. sandbox -X allows you to run X appli‐
26 cations within a sandbox. These applications will start up their own X
27 Server and create a temporary home directory and /tmp. The default
28 SELinux policy does not allow any capabilities or network access. It
29 also prevents all access to the users other processes and files. Files
30 specified on the command that are in the home directory or /tmp will be
31 copied into the sandbox directories.
32 If directories are specified with -H or -T the directory will have its
34 context modified with chcon(1) unless a level is specified with -l. If
35 the MLS/MCS security level is specified, the user is responsible to set
36 the correct labels.
37 -H homedir
39 Use alternate homedir to mount over your home directory.
40 Defaults to temporary. Requires -X or -M.
41 -i file
43 Copy this file into the appropriate temporary sandbox directory.
44 Command can be repeated.
45 -I inputfile Copy all files listed in inputfile into the
47 appropriate temporary sandbox directories.
48 -l Specify the MLS/MCS Security Level to run the sandbox with.
50 Defaults to random.
51 -M Create a Sandbox with temporary files for $HOME and /tmp.
53 -t type
55 Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t
56 for -X.
57 -T tmpdir
59 Use alternate tempory directory to mount on /tmp. Defaults to
60 tmpfs. Requires -X or -M.
61 -S Run a full desktop session, Requires level, and home and tmpdir.
63 -w windowsize
65 Specifies the windowsize when creating an X based Sandbox. The
66 default windowsize is 1000x700.
67 -W windowmanager
69 Select alternative window manager to run within sandbox -X.
70 Default to /usr/bin/matchbox-window-manager.
71 -X Create an X based Sandbox for gui apps, temporary files for
73 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
74 -c Use control groups to control this copy of sandbox. Specify
76 parameters in /etc/sysconfig/sandbox. Max memory usage and cpu
77 usage are to be specified in percent. You can specify which
78 CPUs to use by numbering them 0,1,2... etc.
79 -C Use capabilities within the sandbox. By default applications
81 executed within the sandbox will not be allowed to use capabili‐
82 ties (setuid apps), with the -C flag, you can use programs
83 requiring capabilities.
84
86 runcon(1), seunshare(8), selinux(8)
87
89 This manual page was written by Dan Walsh <dwalsh@redhat.com> and
90 Thomas Liu <tliu@fedoraproject.org>
91sandbox May 2010 SANDBOX(8)