On 08/02/2014 05:57 AM, Robert Horovitz wrote: >> Why is libcap-ng not postponed until #1103622 is fixed? (which probably >> won't be tomorrow) >> >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1103622 > > Over a month later sandboxes are still broken. > > Will this be fixed sometime this year or is the SELinux sandbox feature > dead for real? > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux There is a change to the kernel that is making its way upstream that should allow us to fix the feature. Basically right now, a file to libaudit forces us to turn off the ability for the sandboxed apps to run setuid programs, this also causes the kernel to prevent SELinux from execute/transition. We have a patch to the kernel that will allow processes to execute/transition to a different domain even if setuid is blocked, IFF the app is allowed to transition internally. Once this is enabled we can change the policy to allow transitioning to work again. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
