1sandbox_selinux(8)          SELinux Policy sandbox          sandbox_selinux(8)
2
3
4

NAME

6       sandbox_selinux  -  Security Enhanced Linux Policy for the sandbox pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  sandbox  processes  via  flexible
11       mandatory access control.
12
13       The  sandbox processes execute with the sandbox_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep sandbox_t
20
21
22

PROCESS TYPES

24       SELinux defines process types (domains) for each process running on the
25       system
26
27       You can see the context of a process using the -Z option to ps
28
29       Policy governs the access confined processes have  to  files.   SELinux
30       sandbox  policy  is very flexible allowing users to setup their sandbox
31       processes in as secure a method as possible.
32
33       The following process types are defined for sandbox:
34
35       sandbox_t, sandbox_xserver_t, sandbox_min_t, sandbox_min_client_t, sandbox_x_t, sandbox_x_client_t, sandbox_web_t, sandbox_web_client_t, sandbox_net_t, sandbox_net_client_t
36
37       Note: semanage permissive -a sandbox_t can be used to make the  process
38       type  sandbox_t  permissive. SELinux does not deny access to permissive
39       process types, but the AVC (SELinux denials) messages are still  gener‐
40       ated.
41
42

MCS Constrained

44       The  SELinux process type sandbox_t is an MCS (Multi Category Security)
45       constrained type.  Sometimes this separation is referred to  as  sVirt.
46       These  types  are  usually used for securing multi-tenant environments,
47       such as virtualization, containers or separation of users.   The  tools
48       used  to  launch  MCS  types,  pick  out a different MCS label for each
49       process group.
50
51       For example one process might be launched with sandbox_t:s0:c1,c2,  and
52       another  process  launched  with sandbox_t:s0:c3,c4. The SELinux kernel
53       only allows these processes can only write to content with  a  matching
54       MCS  label,  or a MCS Label of s0. A process running with the MCS level
55       of s0:c1,c2 is not allowed to write to content with the  MCS  label  of
56       s0:c3,c4
57
58

BOOLEANS

60       SELinux policy is customizable based on least access required.  sandbox
61       policy is extremely flexible and has several booleans that allow you to
62       manipulate  the  policy and run sandbox with the tightest access possi‐
63       ble.
64
65
66
67       If you want to deny user domains applications to map a memory region as
68       both  executable  and  writable,  this  is dangerous and the executable
69       should be reported in bugzilla, you must turn on the deny_execmem bool‐
70       ean. Enabled by default.
71
72       setsebool -P deny_execmem 1
73
74
75
76       If you want to allow all domains to execute in fips_mode, you must turn
77       on the fips_mode boolean. Enabled by default.
78
79       setsebool -P fips_mode 1
80
81
82

MANAGED FILES

84       The SELinux process type sandbox_t can manage files  labeled  with  the
85       following file types.  The paths listed are the default paths for these
86       file types.  Note the processes UID still need to have DAC permissions.
87
88       sandbox_file_t
89
90
91       sandbox_tmpfs_type
92
93            all sandbox content in tmpfs file systems
94
95

FILE CONTEXTS

97       SELinux requires files to have an extended attribute to define the file
98       type.
99
100       You can see the context of a file using the -Z option to ls
101
102       Policy  governs  the  access  confined  processes  have to these files.
103       SELinux sandbox policy is very flexible allowing users to  setup  their
104       sandbox processes in as secure a method as possible.
105
106       STANDARD FILE CONTEXT
107
108       SELinux  defines  the file context types for the sandbox, if you wanted
109       to store files with these types in a diffent paths, you need to execute
110       the  semanage  command  to  sepecify  alternate  labeling  and then use
111       restorecon to put the labels on disk.
112
113       semanage fcontext -a  -t  sandbox_xserver_tmpfs_t  '/srv/mysandbox_con‐
114       tent(/.*)?'
115       restorecon -R -v /srv/mysandbox_content
116
117       Note:  SELinux  often  uses  regular expressions to specify labels that
118       match multiple files.
119
120       The following file types are defined for sandbox:
121
122
123
124       sandbox_devpts_t
125
126       - Set files with the sandbox_devpts_t type, if you want  to  treat  the
127       files as sandbox devpts data.
128
129
130
131       sandbox_exec_t
132
133       -  Set files with the sandbox_exec_t type, if you want to transition an
134       executable to the sandbox_t domain.
135
136
137
138       sandbox_file_t
139
140       - Set files with the sandbox_file_t type, if  you  want  to  treat  the
141       files as sandbox content.
142
143
144
145       sandbox_min_client_tmpfs_t
146
147       -  Set  files  with the sandbox_min_client_tmpfs_t type, if you want to
148       store sandbox min client files on a tmpfs file system.
149
150
151
152       sandbox_net_client_tmpfs_t
153
154       - Set files with the sandbox_net_client_tmpfs_t type, if  you  want  to
155       store sandbox net client files on a tmpfs file system.
156
157
158
159       sandbox_web_client_tmpfs_t
160
161       -  Set  files  with the sandbox_web_client_tmpfs_t type, if you want to
162       store sandbox web client files on a tmpfs file system.
163
164
165
166       sandbox_x_client_tmpfs_t
167
168       - Set files with the sandbox_x_client_tmpfs_t  type,  if  you  want  to
169       store sandbox x client files on a tmpfs file system.
170
171
172
173       sandbox_xserver_tmpfs_t
174
175       - Set files with the sandbox_xserver_tmpfs_t type, if you want to store
176       sandbox xserver files on a tmpfs file system.
177
178
179
180       Note: File context can be temporarily modified with the chcon  command.
181       If  you want to permanently change the file context you need to use the
182       semanage fcontext command.  This will modify the SELinux labeling data‐
183       base.  You will need to use restorecon to apply the labels.
184
185

COMMANDS

187       semanage  fcontext  can also be used to manipulate default file context
188       mappings.
189
190       semanage permissive can also be used to manipulate  whether  or  not  a
191       process type is permissive.
192
193       semanage  module can also be used to enable/disable/install/remove pol‐
194       icy modules.
195
196       semanage boolean can also be used to manipulate the booleans
197
198
199       system-config-selinux is a GUI tool available to customize SELinux pol‐
200       icy settings.
201
202

AUTHOR

204       This manual page was auto-generated using sepolicy manpage .
205
206

SEE ALSO

208       selinux(8),  sandbox(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
209       icy(8), setsebool(8),  sandbox_min_selinux(8),  sandbox_min_selinux(8),
210       sandbox_min_client_selinux(8),   sandbox_min_client_selinux(8),   sand‐
211       box_net_selinux(8),            sandbox_net_selinux(8),            sand‐
212       box_net_client_selinux(8),     sandbox_net_client_selinux(8),     sand‐
213       box_web_selinux(8),            sandbox_web_selinux(8),            sand‐
214       box_web_client_selinux(8),     sandbox_web_client_selinux(8),     sand‐
215       box_x_selinux(8),  sandbox_x_selinux(8),   sandbox_x_client_selinux(8),
216       sandbox_x_client_selinux(8),      sandbox_xserver_selinux(8),     sand‐
217       box_xserver_selinux(8)
218
219
220
221sandbox                            19-05-30                 sandbox_selinux(8)
Impressum