On 09/06/2020 14:02, Stephen Smalley wrote:
You are using sandbox as packaged by Fedora in policycoreutils-sandbox? If so, please file a bug against their package.
Just tested the version on the selinux repo and works. Will report to Fedora. Thanks.
To be honest, I don't use sandbox myself and I am not sure it is being very well maintained these days. It was originally created by Red Hat. It seems like it has been OBE by other efforts to sandbox apps on Linux e.g. flatpak or snaps although I don't know that any of those are leveraging SELinux. I'd be tempted to remove it upstream unless it is getting proper care and feeding.
I have been fiddling with a few alternatives for sandboxing apps but I haven't really found anything that comes close. Probably the best I've seen is firejail and its defaults are not too good (too permissive IMO). It's a shame if it's not being maintained.
