1SANDBOX(8) User Commands SANDBOX(8)
2
6 sandbox - Run cmd under an SELinux sandbox
7
9 sandbox [-C] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tem‐
10 pdir ] [ -R runuserdir ] [-I includefile ] [ -W windowmanager ] [ -w
11 windowsize ] [[-i file ]...] [ -t type ] cmd
12 sandbox [-C] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tem‐
14 pdir ] [ -R runuserdir ] [-I includefile ] [ -W windowmanager ] [ -w
15 windowsize ] [[-i file ]...] [ -t type ] -S
16
18 Run the cmd application within a tightly confined SELinux domain. The
19 default sandbox domain only allows applications the ability to read and
20 write stdin, stdout and any other file descriptors handed to it. It is
21 not allowed to open any other files. The -M option will mount an al‐
22 ternate homedir and tmpdir to be used by the sandbox.
23 If you have the policycoreutils-sandbox package installed, you can use
25 the -X option and the -M option. sandbox -X allows you to run X appli‐
26 cations within a sandbox. These applications will start up their own X
27 Server and create a temporary home directory and /tmp. The default
28 SELinux policy does not allow any capabilities or network access. It
29 also prevents all access to the users other processes and files. Files
30 specified on the command that are in the home directory or /tmp will be
31 copied into the sandbox directories.
32 If directories are specified with -H or -T the directory will have its
34 context modified with chcon(1) unless a level is specified with -l. If
35 the MLS/MCS security level is specified, the user is responsible to set
36 the correct labels.
37 -h --help
39 display usage message
40 -H --homedir
42 Use alternate homedir to mount over your home directory. De‐
43 faults to temporary. Requires -X or -M.
44 -i --include
46 Copy this file into the appropriate temporary sandbox directory.
47 Command can be repeated.
48 -I --includefile
50 Copy all files listed in inputfile into the appropriate tempo‐
51 rary sandbox directories.
52 -l --level
54 Specify the MLS/MCS Security Level to run the sandbox with. De‐
55 faults to random.
56 -M --mount
58 Create a Sandbox with temporary files for $HOME and /tmp.
59 -s --shred
61 Shred temporary files created in $HOME and /tmp, before delet‐
62 ing.
63 -t --type
65 Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t
66 for -X.
67 Examples:
69 sandbox_t - No X, No Network Access, No Open, read/write on
70 passed in file descriptors.
71 sandbox_min_t - No Network Access
72 sandbox_x_t - Ports for X applications to run locally
73 sandbox_web_t - Ports required for web browsing
74 sandbox_net_t - Network ports (for server software)
75 sandbox_net_client_t - All network ports
76 -T --tmpdir
79 Use alternate temporary directory to mount on /tmp. Defaults to
80 tmpfs. Requires -X or -M.
81 -R --runuserdir
83 Use alternate temporary directory to mount on XDG_RUNTIME_DIR
84 (/run/user/$UID).
85 -S --session
87 Run a full desktop session, Requires level, and home and tmpdir.
88 -w --windowsize
90 Specifies the windowsize when creating an X based Sandbox. The
92 default windowsize is 1000x700.
93 -W --windowmanager
95 Select alternative window manager to run within sandbox -X. De‐
96 fault to /usr/bin/matchbox-window-manager.
97 -X Create an X based Sandbox for gui apps, temporary files for
99 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
100 -d --dpi
102 Set the DPI value for the sandbox X Server. Defaults to the cur‐
103 rent X Sever DPI.
104 -C --capabilities Use capabilities within the
106 sandbox. By default applications executed within the sandbox
107 will not be allowed to use capabilities (setuid apps), with the
108 -C flag, you can use programs requiring capabilities.
109
111 runcon(1), seunshare(8), selinux(8)
112
114 This manual page was written by Dan Walsh <dwalsh@redhat.com> and
115 Thomas Liu <tliu@fedoraproject.org>
116sandbox May 2010 SANDBOX(8)