1SANDBOX(8)                       User Commands                      SANDBOX(8)
2
3
4

NAME

6       sandbox - Run cmd under an SELinux sandbox
7

SYNOPSIS

9       sandbox [-C] [-s] [ -d DPI ] [-l level ] [[-M | -X]  -H homedir -T tem‐
10       pdir ] [ -R runuserdir ] [-I includefile ] [ -W windowmanager  ]  [  -w
11       windowsize ] [[-i file ]...] [ -t type ] cmd
12
13       sandbox [-C] [-s] [ -d DPI ] [-l level ] [[-M | -X]  -H homedir -T tem‐
14       pdir ] [ -R runuserdir ] [-I includefile ] [ -W windowmanager  ]  [  -w
15       windowsize ] [[-i file ]...] [ -t type ] -S
16

DESCRIPTION

18       Run  the cmd application within a tightly confined SELinux domain.  The
19       default sandbox domain only allows applications the ability to read and
20       write  stdin, stdout and any other file descriptors handed to it. It is
21       not allowed to open any other files.  The -M option will mount  an  al‐
22       ternate homedir and tmpdir to be used by the sandbox.
23
24       If  you have the policycoreutils-sandbox package installed, you can use
25       the -X option and the -M option.  sandbox -X allows you to run X appli‐
26       cations within a sandbox.  These applications will start up their own X
27       Server and create a temporary home directory  and  /tmp.   The  default
28       SELinux  policy  does not allow any capabilities or network access.  It
29       also prevents all access to the users other processes and files.  Files
30       specified on the command that are in the home directory or /tmp will be
31       copied into the sandbox directories.
32
33       If directories are specified with -H or -T the directory will have  its
34       context modified with chcon(1) unless a level is specified with -l.  If
35       the MLS/MCS security level is specified, the user is responsible to set
36       the correct labels.
37
38       -h --help
39              display usage message
40
41       -H --homedir
42              Use  alternate  homedir  to mount over your home directory.  De‐
43              faults to temporary. Requires -X or -M.
44
45       -i --include
46              Copy this file into the appropriate temporary sandbox directory.
47              Command can be repeated.
48
49       -I --includefile
50              Copy  all  files listed in inputfile into the appropriate tempo‐
51              rary sandbox directories.
52
53       -l --level
54              Specify the MLS/MCS Security Level to run the sandbox with.  De‐
55              faults to random.
56
57       -M --mount
58              Create a Sandbox with temporary files for $HOME and /tmp.
59
60       -s --shred
61              Shred  temporary  files created in $HOME and /tmp, before delet‐
62              ing.
63
64       -t --type
65              Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t
66              for -X.
67
68              Examples:
69              sandbox_t -    No  X,  No Network Access, No Open, read/write on
70              passed in file descriptors.
71              sandbox_min_t  -    No Network Access
72              sandbox_x_t    -    Ports for X applications to run locally
73              sandbox_web_t  -    Ports required for web browsing
74              sandbox_net_t  -         Network ports (for server software)
75              sandbox_net_client_t     -    All network ports
76
77
78       -T --tmpdir
79              Use alternate temporary directory to mount on /tmp.  Defaults to
80              tmpfs. Requires -X or -M.
81
82       -R --runuserdir
83              Use  alternate  temporary  directory to mount on XDG_RUNTIME_DIR
84              (/run/user/$UID).
85
86       -S --session
87              Run a full desktop session, Requires level, and home and tmpdir.
88
89       -w --windowsize
90
91              Specifies the windowsize when creating an X based  Sandbox.  The
92              default windowsize is 1000x700.
93
94       -W --windowmanager
95              Select alternative window manager to run within sandbox -X.  De‐
96              fault to /usr/bin/matchbox-window-manager.
97
98       -X     Create an X based Sandbox for  gui  apps,  temporary  files  for
99              $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
100
101       -d --dpi
102              Set the DPI value for the sandbox X Server. Defaults to the cur‐
103              rent X Sever DPI.
104
105       -C --capabilities
106              Use capabilities within the sandbox. By default applications ex‐
107              ecuted  within  the sandbox will not be allowed to use capabili‐
108              ties (setuid apps), with the -C flag, you can use  programs  re‐
109              quiring capabilities.
110

SEE ALSO

112       runcon(1), seunshare(8), selinux(8)
113

EXAMPLE

115       Run a graphical application inside the sandbox
116       # sandbox -X evince
117       Run a graphical application that requires the use of network
118       # sandbox ‑X ‑t sandbox_web_t firefox
119       Preserve data from one session to the next
120       # mkdir -p ~/sandbox/home ~/sandbox/tmp
121       # sandbox -H ~/sandbox/home -T ~/sandbox/tmp -X libreoffice --writer
122
123

AUTHOR

125       This  manual  page  was  written  by  Dan Walsh <dwalsh@redhat.com> and
126       Thomas Liu <tliu@fedoraproject.org>
127
128
129
130sandbox                            May 2010                         SANDBOX(8)
Impressum