sandbox_selinux(8)

1sandbox_selinux(8)          SELinux Policy sandbox          sandbox_selinux(8)
2
3
4

NAME

6       sandbox_selinux  -  Security Enhanced Linux Policy for the sandbox pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  sandbox  processes  via  flexible
11       mandatory access control.
12
13       The  sandbox processes execute with the sandbox_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep sandbox_t
20
21
22

ENTRYPOINTS

24       The sandbox_t SELinux type can be entered via the file_type file type.
25
26       The  default  entrypoint paths for the sandbox_t domain are the follow‐
27       ing:
28
29       all files on the system
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       sandbox policy is very flexible allowing users to setup  their  sandbox
39       processes in as secure a method as possible.
40
41       The following process types are defined for sandbox:
42
43       sandbox_x_client_t, sandbox_net_client_t, sandbox_xserver_t, sandbox_x_t, sandbox_web_client_t, sandbox_min_t, sandbox_net_t, sandbox_web_t, sandbox_min_client_t, sandbox_t
44
45       Note:  semanage permissive -a sandbox_t can be used to make the process
46       type sandbox_t permissive. SELinux does not deny access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.  sandbox
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run sandbox with the tightest  access  possi‐
55       ble.
56
57
58
59       If you want to allow all domains to use other domains file descriptors,
60       you must turn on the allow_domain_fd_use boolean. Enabled by default.
61
62       setsebool -P allow_domain_fd_use 1
63
64
65
66       If you want to allow sysadm to debug or ptrace all processes, you  must
67       turn on the allow_ptrace boolean. Disabled by default.
68
69       setsebool -P allow_ptrace 1
70
71
72
73       If  you  want to allow all domains to have the kernel load modules, you
74       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
75       default.
76
77       setsebool -P domain_kernel_load_modules 1
78
79
80
81       If you want to allow all domains to execute in fips_mode, you must turn
82       on the fips_mode boolean. Enabled by default.
83
84       setsebool -P fips_mode 1
85
86
87
88       If you want to enable reading of urandom for all domains, you must turn
89       on the global_ssp boolean. Disabled by default.
90
91       setsebool -P global_ssp 1
92
93
94

MANAGED FILES

96       The  SELinux  process  type sandbox_t can manage files labeled with the
97       following file types.  The paths listed are the default paths for these
98       file types.  Note the processes UID still need to have DAC permissions.
99
100       initrc_tmp_t
101
102
103       mnt_t
104
105            /mnt(/[^/]*)
106            /mnt(/[^/]*)?
107            /rhev(/[^/]*)?
108            /media(/[^/]*)
109            /media(/[^/]*)?
110            /etc/rhgb(/.*)?
111            /media/.hal-.*
112            /net
113            /afs
114            /rhev
115            /misc
116
117       sandbox_file_t
118
119
120       tmp_t
121
122            /tmp
123            /usr/tmp
124            /var/tmp
125            /tmp-inst
126            /var/tmp-inst
127            /var/tmp/vi.recover
128
129

FILE CONTEXTS

131       SELinux requires files to have an extended attribute to define the file
132       type.
133
134       You can see the context of a file using the -Z option to ls
135
136       Policy governs the access  confined  processes  have  to  these  files.
137       SELinux  sandbox  policy is very flexible allowing users to setup their
138       sandbox processes in as secure a method as possible.
139
140       STANDARD FILE CONTEXT
141
142       SELinux defines the file context types for the sandbox, if  you  wanted
143       to store files with these types in a diffent paths, you need to execute
144       the semanage command  to  sepecify  alternate  labeling  and  then  use
145       restorecon to put the labels on disk.
146
147       semanage  fcontext  -a  -t sandbox_xserver_tmpfs_t '/srv/mysandbox_con‐
148       tent(/.*)?'
149       restorecon -R -v /srv/mysandbox_content
150
151       Note: SELinux often uses regular expressions  to  specify  labels  that
152       match multiple files.
153
154       The following file types are defined for sandbox:
155
156
157
158       sandbox_devpts_t
159
160       -  Set  files  with the sandbox_devpts_t type, if you want to treat the
161       files as sandbox devpts data.
162
163
164
165       sandbox_exec_t
166
167       - Set files with the sandbox_exec_t type, if you want to transition  an
168       executable to the sandbox_t domain.
169
170
171
172       sandbox_file_t
173
174       -  Set  files  with  the  sandbox_file_t type, if you want to treat the
175       files as sandbox content.
176
177
178
179       sandbox_min_client_tmpfs_t
180
181       - Set files with the sandbox_min_client_tmpfs_t type, if  you  want  to
182       store sandbox min client files on a tmpfs file system.
183
184
185
186       sandbox_net_client_tmpfs_t
187
188       -  Set  files  with the sandbox_net_client_tmpfs_t type, if you want to
189       store sandbox net client files on a tmpfs file system.
190
191
192
193       sandbox_web_client_tmpfs_t
194
195       - Set files with the sandbox_web_client_tmpfs_t type, if  you  want  to
196       store sandbox web client files on a tmpfs file system.
197
198
199
200       sandbox_x_client_tmpfs_t
201
202       -  Set  files  with  the  sandbox_x_client_tmpfs_t type, if you want to
203       store sandbox x client files on a tmpfs file system.
204
205
206
207       sandbox_xserver_tmpfs_t
208
209       - Set files with the sandbox_xserver_tmpfs_t type, if you want to store
210       sandbox xserver files on a tmpfs file system.
211
212
213
214       Note:  File context can be temporarily modified with the chcon command.
215       If you want to permanently change the file context you need to use  the
216       semanage fcontext command.  This will modify the SELinux labeling data‐
217       base.  You will need to use restorecon to apply the labels.
218
219

COMMANDS

221       semanage fcontext can also be used to manipulate default  file  context
222       mappings.
223
224       semanage  permissive  can  also  be used to manipulate whether or not a
225       process type is permissive.
226
227       semanage module can also be used to enable/disable/install/remove  pol‐
228       icy modules.
229
230       semanage boolean can also be used to manipulate the booleans
231
232
233       system-config-selinux is a GUI tool available to customize SELinux pol‐
234       icy settings.
235
236

AUTHOR

238       This manual page was auto-generated using sepolicy manpage .
239
240