Chapter 7. Securing Programs Using Sandbox
7.1. Running an Application Using Sandbox
yum install policycoreutils-sandbox
-Xoption. For example:
-Xtells sandbox to set up a confined secondary X Server for the application (in this case,
evince), before copying the needed resources and creating a closed virtual environment in the user’s
homedirectory or in the
sandbox/homeis used for
sandbox/tmpis used for
/tmp. Different applications are placed in different restricted environments. The application runs in full-screen mode and this prevents access to other functions. As mentioned before, you cannot open or create files except those which are labeled as
sandbox. To allow access, use the
sandbox_web_tlabel. For example, to launch Firefox:
sandbox_net_tlabel allows unrestricted, bi-directional network access to all network ports. The
sandbox_web_tallows connections to ports required for web browsing only.
sandbox_net_tshould made with caution and only when required.
sandbox (8)manual page for information, and a full list of available options.