Run the cmd application within a tightly confined SELinux domain.
The default sandbox domain only allows applications the ability to
read and write stdin, stdout and any other file descriptors handed to
it. It is not allowed to open any other files. The -M option will
mount an alternate homedir and tmpdir to be used by the sandbox.
If you have the policycoreutils-sandbox package installed, you can
use the -X option and the -M option. sandbox -X allows you to run X
applications within a sandbox. These applications will start up
their own X Server and create a temporary home directory and /tmp.
The default SELinux policy does not allow any capabilities or network
access. It also prevents all access to the users other processes and
files. Files specified on the command that are in the home directory
or /tmp will be copied into the sandbox directories.
If directories are specified with -H or -T the directory will have
its context modified with chcon(1) unless a level is specified with
-l. If the MLS/MCS security level is specified, the user is
responsible to set the correct labels.
display usage message
Use alternate homedir to mount over your home directory.
Defaults to temporary. Requires -X or -M.
Copy this file into the appropriate temporary sandbox
directory. Command can be repeated.
Copy all files listed in inputfile into the appropriate
temporary sandbox directories.
Specify the MLS/MCS Security Level to run the sandbox with.
Defaults to random.
Create a Sandbox with temporary files for $HOME and /tmp.
Shred temporary files created in $HOME and /tmp, before
Use alternate sandbox type, defaults to sandbox_t or
sandbox_x_t for -X.
sandbox_t - No X, No Network Access, No Open, read/write on
passed in file descriptors.
sandbox_min_t - No Network Access
sandbox_x_t - Ports for X applications to run locally
sandbox_web_t - Ports required for web browsing
sandbox_net_t - Network ports (for server software)
sandbox_net_client_t - All network ports
Use alternate temporary directory to mount on /tmp. Defaults
to tmpfs. Requires -X or -M.
Run a full desktop session, Requires level, and home and
Specifies the windowsize when creating an X based Sandbox. The
default windowsize is 1000x700.
Select alternative window manager to run within sandbox -X.
Default to /usr/bin/openbox.
-X Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
Set the DPI value for the sandbox X Server. Defaults to the
current X Sever DPI.
-C --capabilities Use capabilities within the
sandbox. By default applications executed within the sandbox
will not be allowed to use capabilities (setuid apps), with
the -C flag, you can use programs requiring capabilities.
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2017-03-13. If you
discover any rendering problems in this HTML version of the page, or
you believe there is a better or more up-to-date source for the page,
or you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
sandbox May 2010 SANDBOX(8)