[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

status sandbox support in policycoreutils

Hi, debian does not support the, in my opinion, highly useful
"sandbox" tool from selinux package policycoreutils.

It allows, for example, to run a sandboxed instance of a web-browser
with vulnerable plugins with a single line script.

selinux support is currently disabled with patch 0017-no-sandbox ("Do
not build or install sandbox related software, it requires a module
not in refpolicy")

Better SELinux support is a planned feature for debian jessie. Is
there any new development or declaration of intents on resolving bug
#668954 in order to add selinux sandbox support?

"it turns out sandbox REQUIRES the sandbox policy module to work. For
some reason the sandbox policy module isn't included in this package
or in any dependency"

"I can't get the policy for this written for Wheezy.  I've attached a policy
patch for a work in progress so anyone who is interested can work on it for
their own purposes.

I'll get this going post-Wheezy with a new policy tree from upstream.  For
Wheezy I think I'll just remove the sandbox program from policycoreutils as
there's no way of making it do anything useful."

Reply to: