status sandbox support in policycoreutils

To: debian-devel@lists.debian.org
Subject: status sandbox support in policycoreutils
From: Keivan Motavalli <motavalli.keivan@gmail.com>
Date: Mon, 9 Jun 2014 18:53:22 +0200
Message-id: <[🔎] CACvd5v+8EuKvs5gJ-xwnPUhE8MejQAnQ14TOFwVPViOXtTgFkg@mail.gmail.com>

Hi, debian does not support the, in my opinion, highly useful
"sandbox" tool from selinux package policycoreutils.

It allows, for example, to run a sandboxed instance of a web-browser
with vulnerable plugins with a single line script.

selinux support is currently disabled with patch 0017-no-sandbox ("Do
not build or install sandbox related software, it requires a module
not in refpolicy")

Better SELinux support is a planned feature for debian jessie. Is
there any new development or declaration of intents on resolving bug
#668954 in order to add selinux sandbox support?

"it turns out sandbox REQUIRES the sandbox policy module to work. For
some reason the sandbox policy module isn't included in this package
or in any dependency"

"I can't get the policy for this written for Wheezy.  I've attached a policy
patch for a work in progress so anyone who is interested can work on it for
their own purposes.

I'll get this going post-Wheezy with a new policy tree from upstream.  For
Wheezy I think I'll just remove the sandbox program from policycoreutils as
there's no way of making it do anything useful."

Reply to:

Follow-Ups:
- Re: status sandbox support in policycoreutils
  - From: Laurent Bigonville <bigon@debian.org>

Prev by Date: Re: Bug#750546: ITP: sluice -- rate limiting data piping tool
Next by Date: Re: status sandbox support in policycoreutils
Previous by thread: Bug#750984: ITP: libjopendocument-java -- pure Java library for OASIS Open Document files manipulation
Next by thread: Re: status sandbox support in policycoreutils
Index(es):
- Date
- Thread