/* Void Main's man pages */

{ phpMan } else { main(); }

Command: man perldoc info search(apropos)  

SANDBOX(8)                                                User Commands                                               SANDBOX(8)



NAME
       sandbox - Run cmd under an SELinux sandbox

SYNOPSIS
       sandbox  [-C] [-c] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize
       ] [[-i file ]...] [ -t type ] cmd

       sandbox [-C] [-c] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w  windowsize
       ] [[-i file ]...] [ -t type ] -S

DESCRIPTION
       Run  the  cmd  application within a tightly confined SELinux domain.  The default sandbox domain only allows applications
       the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed  to  open  any
       other files.  The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.

       If  you  have  the  policycoreutils-sandbox  package  installed, you can use the -X option and the -M option.  sandbox -X
       allows you to run X applications within a sandbox.  These applications will start up their own X Server and create a tem-
       porary  home  directory and /tmp.  The default SELinux policy does not allow any capabilities or network access.  It also
       prevents all access to the users other processes and files.  Files specified on the command that are in the  home  direc-
       tory or /tmp will be copied into the sandbox directories.

       If  directories  are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is
       specified with -l.  If the MLS/MCS security level is specified, the user is responsible to set the correct labels.

       -H homedir
              Use alternate homedir to mount over your home directory.  Defaults to temporary. Requires -X or -M.

       -i file
              Copy this file into the appropriate temporary sandbox directory. Command can be repeated.

       -I inputfile Copy all files listed in inputfile into the
              appropriate temporary sandbox directories.

       -l     Specify the MLS/MCS Security Level to run the sandbox with.  Defaults to random.

       -M     Create a Sandbox with temporary files for $HOME and /tmp.

       -t type
              Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.

       -T tmpdir
              Use alternate tempory directory to mount on /tmp.  Defaults to tmpfs. Requires -X or -M.

       -S     Run a full desktop session, Requires level, and home and tmpdir.

       -w windowsize
              Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.

       -W windowmanager
              Select alternative window manager to run within sandbox -X.  Default to /usr/bin/matchbox-window-manager.

       -X     Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, secondary Xserver, defaults  to  sand-
              box_x_t

       -c     Use  control  groups  to  control this copy of sandbox.  Specify parameters in /etc/sysconfig/sandbox.  Max memory
              usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them  0,1,2...
              etc.

       -C     Use  capabilities  within the sandbox.  By default applications executed within the sandbox will not be allowed to
              use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.

SEE ALSO
       runcon(1), seunshare(8), selinux(8)

AUTHOR
       This manual page was written by Dan Walsh <dwalshATredhat.com> and Thomas Liu <tliuATfedoraproject.org>



sandbox                                                     May 2010                                                  SANDBOX(8)
Valid XHTML 1.0!Valid CSS!