Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 7. Securing Programs Using Sandbox
The sandbox security utility adds a set of SELinux policies that allow a system administrator to run an application within a tightly confined SELinux domain. Restrictions on permission to open new files or access to the network can be defined. This enables testing the processing characteristics of untrusted software securely, without risking damage to the system.
7.1. Running an Application Using Sandbox
Copiar o linkLink copiado para a área de transferência!
Before using the sandbox utility, the policycoreutils-sandbox package must be installed:
yum install policycoreutils-sandbox
~]# yum install policycoreutils-sandbox
The basic syntax to confine an application is:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
sandbox [options] application_under_test
~]$ sandbox [options] application_under_test
To run a graphical application in a sandbox, use the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The
-X option. For example:
sandbox -X evince
~]$ sandbox -X evince-X tells sandbox to set up a confined secondary X Server for the application (in this case, evince), before copying the needed resources and creating a closed virtual environment in the user’s home directory or in the /tmp directory.
To preserve data from one session to the next:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Note that
sandbox -H sandbox/home -T sandbox/tmp -X firefox
~]$ sandbox -H sandbox/home -T sandbox/tmp -X firefoxsandbox/home is used for /home and sandbox/tmp is used for /tmp. Different applications are placed in different restricted environments. The application runs in full-screen mode and this prevents access to other functions. As mentioned before, you cannot open or create files except those which are labeled as sandbox_x_file_t.
Access to the network is also initially impossible inside the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
sandbox. To allow access, use the sandbox_web_t label. For example, to launch Firefox:
sandbox ‑X ‑t sandbox_web_t firefox
~]$ sandbox ‑X ‑t sandbox_web_t firefoxWarning
The
sandbox_net_t label allows unrestricted, bi-directional network access to all network ports. The sandbox_web_t allows connections to ports required for web browsing only.
Use of
sandbox_net_t should made with caution and only when required.
See the
sandbox (8) manual page for information, and a full list of available options.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}