looks like selinux-sandbox moved from policycoreutils: https://github.com/SELinuxProject/selinux/commit/97bf196c8933f736c36fc0735781684a75a9c7d0 I am not able to run selinux-sandbox on gentoo. Pls provide an ebuild/useflag for selinux-sandbox.
Hey, sesandbox used to exist but was removed a few years ago when there was some security bug iirc. I don't think anyone really uses it, what are you looking to use it for? I kind of see sesandbox as a stopgap to writing a proper policy for whatever the program is and its more for people using targeted, but we'd recommend going with strict or mcs. If there is a package that's lacking a policy i'd much rather go the route of writing a proper policy for it that way everyone benefits. What package/program are you planning to use it with?
(In reply to Jason Zaman from comment #1) > Hey, > > sesandbox used to exist but was removed a few years ago when there was some > security bug iirc. I don't think anyone really uses it, what are you looking > to use it for? I kind of see sesandbox as a stopgap to writing a proper > policy for whatever the program is and its more for people using targeted, > but we'd recommend going with strict or mcs. > > If there is a package that's lacking a policy i'd much rather go the route > of writing a proper policy for it that way everyone benefits. What > package/program are you planning to use it with? thanks for the reply. I'm a desktop user and I use targeted policy type. I'd like to use sesandbox to run some programs (e.g. pdf viewer, media player, web browser) instead of using firejail. sesandbox is available by default in Fedora. Regarding the CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-16029/Selinux-Project.html - I think that you had in mind CVE-2016-7545 and it's already fixed.
(In reply to Jason Zaman from comment #1) > Hey, > > sesandbox used to exist but was removed a few years ago when there was some > security bug iirc. I don't think anyone really uses it, what are you looking > to use it for? I kind of see sesandbox as a stopgap to writing a proper > policy for whatever the program is and its more for people using targeted, > but we'd recommend going with strict or mcs. > > If there is a package that's lacking a policy i'd much rather go the route > of writing a proper policy for it that way everyone benefits. What > package/program are you planning to use it with? another scenario: let's imagine that I want to visit some malicious website (or in day to day browsing I accidentally visited one). It would be better not to run the browser with e.g. staff_u:staff_r:chromium_t context together with e.g. `chromium_read_generic_user_content` boolean.
(In reply to Jason Zaman from comment #1) > Hey, > > sesandbox used to exist but was removed a few years ago when there was some > security bug iirc. I don't think anyone really uses it, what are you looking > to use it for? I kind of see sesandbox as a stopgap to writing a proper > policy for whatever the program is and its more for people using targeted, > but we'd recommend going with strict or mcs. > > If there is a package that's lacking a policy i'd much rather go the route > of writing a proper policy for it that way everyone benefits. What > package/program are you planning to use it with? found this two blogposts which describe why sesandbox support was dropped: http://blog.siphos.be/2014/05/dropping-sesandbox-support/ http://blog.siphos.be/2016/09/we-do-not-ship-selinux-sandbox/ I'll try to install it on my own. On success do the pull request and then you can decide if you want it back in gentoo or not my plan is to: 1. introduce new "sesanbox" use flag https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L18 2. parametrize this variables: - https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L114 - https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L133 3. and then introduce new ebuild for https://github.com/SELinuxProject/selinux/tree/master/sandbox which will be pulled by `policycoreutils` if `sesandbox` useflag is present let me know Jason what you think about this idea