8

I've installed SELinux in Debian sid in order to use the sandbox that locks down apps to a restricted environment, but I can't get it to work. If I try to use the sandbox command in permissive mode without any options, like sandbox nano, I get the following error:

/usr/bin/sandbox: [Errno 22] Invalid argument

And if I try to run it with options for temporary home and tmp dirs, with or without the -X option, another error message pops up:

Could not set exec context to unconfined_u:unconfined_r:sandbox_x_t:s0:c236,c539.
Failed to remove directory /tmp/.sandbox-root-vfZJIt: No such file or directory

I have tried using the sandbox app in enforced mode, but it complains about missing type enforcement rules. I don't think that's the issue though. Does anyone know how to fix this?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Magnus
  • 361
  • 1
  • 9
  • 1
    It seems that the sandbox policy module isn't loaded. If I run `semodule -l` the sandbox module doesn't show up. Does anyone know how to load the sandbox policy module in Debian? – Magnus May 02 '12 at 03:31

1 Answers1

1

Unfortunately, SELinux support in Debian is far from complete, with some major gaps. It appears the required policy module for this particular functionality just isn't available:

wouter@gangtai:~$ apt-cache show policycoreutils-sandbox
Package: policycoreutils-sandbox
Source: policycoreutils
Version: 2.4-4

[...]

Description-en: SELinux core policy utilities (graphical sandboxes)

[...]

 This package requires an additional custom policy that is not present in
 Debian.

you'll have to find it elsewhere.

Wouter Verhelst
  • 9,171
  • 18
  • 43