SELinux Sandbox for Untrusted Programs
The security framework SELinux is set to offer a Sandbox in which applications deemed insecure can be partitioned off from other system areas.
Red Hat colleagues Dan Walsh and Eric Paris have designed an additional security tool. SELinux project leader Walsh describes the functionality and development of this tool in a detailed blog entry. The main idea: for SELinux to limit the actions an application can perform and to confine untrusted binaries. This way, users should be able to work with programs and data that are not considered 100% secure.
The developers were inspired to create a sandbox to execute these security measures using the SELinux policies via a query on the Linux core list. Walsh describes: "The bug report talked about confining grep, awk, ls ... The idea was couldn't we stop the grep or the mv command from suddenly opening up a network connection and copying off my /etc/shadow file to parts unknown.“ Regarding further application areas, Walsh sees GRID jobs as potential danger, they might become Spam Bots or attack systems in some other form.

According to Walsh, only 10 clicks were needed to write the policy with the GUI program from Fedora 11. He delivers interested parties precise instructions. In addition to the policy, the “usr/bin/sandbox” tool was written in order to route contents into the Sandbox. One issue with the current version has not yet been fully dealt with: “My current intention with sandbox is not to handle X Apps, since these apps want to write all over the home directory ~/.gconf, ~/gnome., ~/.config ... and all over /tmp, along with use privs to talk to the X Server. I have some ideas on this for the future that I hope to experiment with.”
In a message on the Linux kernel list, Eric Paris introduces a simple application example and invites users to share their experiences. “Check it out, SELinux confinement made easy."
Issue 245/2021
Buy this issue as a PDF
News
-
Mageia 8 is Now Available with Linux 5.10 LTS
The latest release of Mageia includes improved graphics support for both AMD and NVIDIA GPUs.
-
GNOME 40 Beta has been Released
Anyone looking to test the beta for the upcoming GNOME 40 release can now do so.
-
OpenMandriva Lx 4.2 has Arrived
The latest stable version of OpenMandriva has been released and offers the newest KDE desktop and ARM support.
-
Thunderbird 78 is being ported to Ubuntu 20.04
The Ubuntu developers have made the decision to port the latest release of Thunderbird to the LTS version of the platform.
-
Elementary OS is Bringing Multi-Touch Gestures to the OS
User-friendly Linux distribution, elementary OS, is working to make using the fan-favorite platform even better for laptops.
-
Decade-Old Sudo Flaw Discovered
A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.
-
Another New Linux Laptop has Arrived
Slimbook has released a monster of a Linux gaming laptop.
-
Mozilla VPN Now Available for Linux
The promised subscription-based VPN service from Mozilla is now available for the Linux platform.
-
Wayland and New App Menu Coming to KDE
The 2021 roadmap for the KDE desktop environment includes some exciting features and improvements.
-
Deepin 20.1 has Arrived
Debian-based Deepin 20.1 has been released with some interesting new features.