NB SandBox

From SELinux Wiki
Jump to: navigation, search

Sandbox Services

Fedora has support for the following three types of sandbox services in F-20:

There is also a good use-case with solutions at: http://opensource.com/education/12/8/harvard-goes-paas-selinux-sandbox that involves uploading information to web servers and access by staff and students.
This will allow isolation of X applications via nested Xephyr servers. For example running:
sandbox -t sandbox_web_t -i /path/to/user/home/dir/.mozilla -W metacity -X firefox
will load Firefox in an isolated X sandbox. The -i parameter stops Firefox displaying the 'welcome to Firefox' page at start-up as it will use a copy from the users current .mozilla directory.
Red Hat use sandbox-X as the preferred alternative to XSELinux when using the targeted policy, this is because X-clients that get a permission denied will probably abort as they expect full access to the X-server.

Both of these sandbox services are defined in the sandbox(3) man page and are available in the policycoreutils package. They make use of seunshare(8) that allows commands to be run in an alternate home directory, temp directory or security context. The sandbox.conf(5) file allows the sandbox name, cpu and memory usage to be configured. There is also a sandbox.init service that can be run at boot time to set up /var/tmp and /tmp as private (mount --make-private).

Note that the sandbox services require MCS policy support as a minimum as categories are used to isolate multiple sandboxes. Issuing the following command will show this usage:

sandbox id -Z
This service is available in the libvirt-sandbox package and provides an API and command line services to start sessions. There is currently limited policy support for virt-sandbox as it primary aim is for developers to build services and provide the appropriate policy.
The package is built on Svirt that provides the virtulisation with SELinux enforcement and KVM/qemu or LXC to provide the virtulisation environment. If KVM support is not available on the machine (as it requires virtulisation support in the CPU (Intel-VT or AMD-V extensions)), then LXC is the alternative to use.
An LXC example:
virt-sandbox -c lxc:/// /bin/sh
To run in enforcing mode, the following policy module was added for the targeted policy:
module lxc_example 1.0.0;

require {
    type svirt_t, virtd_lxc_t, root_t, bin_t, proc_net_t;
    type cache_home_t, user_home_t, boot_t, user_tmp_t;
    class unix_stream_socket { connectto };
    class chr_file { open read write ioctl getattr setattr };
    class file { read write open getattr entrypoint };
    class process { transition sigchld execmem };
    class filesystem getattr;

allow virtd_lxc_t root_t : chr_file { open read write ioctl setattr };
allow virtd_lxc_t root_t : file { write open };
allow virtd_lxc_t svirt_t : process { transition };
allow svirt_t bin_t : file { entrypoint };
allow svirt_t proc_net_t : file { read };
allow svirt_t virtd_lxc_t : unix_stream_socket { connectto };
allow svirt_t virtd_lxc_t : process { sigchld };
allow svirt_t cache_home_t : file { read getattr open };
allow svirt_t proc_net_t : file { getattr open };
allow svirt_t root_t : chr_file { read write ioctl open getattr };
allow svirt_t root_t : filesystem { getattr };
allow svirt_t user_home_t : file { read open };
that was built and installed as follows:
checkmodule -M -m lxc_example.conf -o lxc_example.mod
semodule_package -o lxc_example.pp -m lxc_example.mod
semodule -v -i lxc_example.pp


  1. Linux Containers do not provide a virtual machine, but a virtual environment that has its own process and network space.