Linked by Thom Holwerda on Tue 26th May 2009 18:32 UTC, submitted by diegocg
Linux Eric Paris, a SELinux developer, has announced today a new SELinux feature: "Dan and I (mostly Dan) have started to play with using SELinux to confine random untrusted binaries. The program is called 'sandbox.' The idea is to allow administrators to lock down tightly untrusted applications in a sandbox where they can not use the network and open/create any file that is not handed to the process. Can be used to protect a system while allowing it to run some untrusted binary."
E-mail Print r 3   5 Comment(s)
Thread beginning with comment 365530
To read all comments associated with this story, please click here.
by giddie on Tue 26th May 2009 20:50 UTC
Member since:

This reminds me of something I read about the OLPC project. Don't they do something similar?

I wonder if this could also be used to create a sandboxed AppDir environment. (Just thinking aloud really -- I've had something like this in mind for a while.)

Edited 2009-05-26 20:52 UTC

Reply Score: 1

RE: AppDir?
by ephemient on Wed 27th May 2009 14:22 in reply to "AppDir?"
ephemient Member since:

The current release of OLPC uses Linux-VServer to implement part of Bitfrost. Effectively, every application is contained by running it alone in its own virtual machine. It can impose resource usage restrictions far beyond what I believe SELinux to be capable of. (I might be wrong on that last part.)

Reply Parent Score: 1

RE[2]: AppDir?
by adricnet on Wed 27th May 2009 14:56 in reply to "RE: AppDir?"
adricnet Member since:


I think the implemented Bitfrost moved past using the vserver patch into using the rainbow daemon.

Here's an old mail where Michael Stone explains why he disn't use SElinux:

Fascinating stuff ;)

Reply Parent Score: 1

RE[2]: AppDir?
by vtolkov on Thu 28th May 2009 19:03 in reply to "RE: AppDir?"
vtolkov Member since:

VMs are too expensive.

Reply Parent Score: 1