SANDBOX(8) User Commands SANDBOX(8)NAMEsandbox - Run cmd under an SELinux sandboxSYNOPSISsandbox [-l level ] [[-M | -X] -H homedir -T tmpdir ] [-I includefile
] [[-i file ]...] [ -t type ] cmd
DESCRIPTION
Run the cmd application within a tightly confined SELinux domain. The
default sandbox domain only allows applications the ability to read and
write stdin, stdout and any other file descriptors handed to it. It is
not allowed to open any other files. The -M option will mount an
alternate homedir and tmpdir to be used by the sandbox.
If you have the policycoreutils-sandbox package installed, you can use
the -X option and the -M option. sandbox-X allows you to run sand‐
boxed X applications. These applications will start up their own X
Server and create a temporary homedir and /tmp. The default policy
does not allow any capabilities or network access. It also prevents
all access to the users other processes and files. Any file specified
on the command line will be copied into the sandbox.
If directories are specified with -H or -T the directory will have its
context modified with chcon(1) unless a level is specified with -l. If
the MLS/MCS security level is specified, the directories need to have a
matching label.
-t type
Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t
for -X.
-i file
Copy this file into the temporary sandbox appriate. Command can
be repeated.
-I inputfile
Copy all files listed in inputfile into the appropriate tempo‐
rary sandbox direcories.
-l Specify the MLS/MCS Security Level to run the sandbox in.
Defaults to random.
-X Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
-M Create a Sandbox with temporary files for $HOME and /tmp,
defaults to sandbox_t
-H homedir
Use alternate homedir to mount. Defaults to temporary. Requires
-X or -M.
-T tmpdir
Use alternate tempdir to mount. Defaults to temporary. Requires
-X or -M.
SEE ALSOruncon(1)chcat May 2009 SANDBOX(8)