[DSE-Dev] status sandbox support in policycoreutils

[Laurent Bigonville]

Keivan Motavalli wrote:
> Hi, debian does not support the, in my opinion, highly useful
> "sandbox" tool from selinux package policycoreutils.
> 
> It allows, for example, to run a sandboxed instance of a web-browser
> with vulnerable plugins with a single line script.
> 
> selinux support is currently disabled with patch 0017-no-sandbox ("Do
> not build or install sandbox related software, it requires a module
> not in refpolicy")
> 
> Better SELinux support is a planned feature for debian jessie. Is
> there any new development or declaration of intents on resolving bug
> #668954 in order to add selinux sandbox support?

Hi,

If I'm not wrong, the "sandbox" policy module has been written by Red
Hat people but was never merged upstream for some reasons.

We tried really hard in the last months to reduce the number of patches
applied to the policy in debian and to always try get the patches merged
upstream first. I personally don't really want to go back to a
situation where we have to carry 100+ patches in the debian package. If
you are really interested in this, you should probably try to see with
upstream if the situation can be unblocked on their side.

Regarding the sandbox executables in policycoreutils, the current
version we have in debian is affected by CVE-2014-3215, this should
already be fixed in the upstream git repository, but I would prefer see
them make a new release before I would even consider re-enabling the
tool (note that the seunshare tool is setuid).

Cheers,

Laurent Bigonville