Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

sandbox(5) [centos man page]

sandbox.conf(5) 					    Linux System Administration 					   sandbox.conf(5)

sandbox.conf - user config file for the SELinux sandbox DESCRIPTION
When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("="). These keywords are allowed. NAME The name of the sandbox control group. Default is "sandbox". CPUAFFINITY Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to rep- resent ranges. Ex: 0-2,5 MEMUSAGE How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M CPUUSAGE Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50% SEE ALSO
sandbox(8) AUTHOR
This manual page was written by Thomas Liu <> sandbox.conf June 2010 sandbox.conf(5)

Check Out this Related Man Page

SANDBOX(8)							   User Commands							SANDBOX(8)

sandbox - Run cmd under an SELinux sandbox SYNOPSIS
sandbox [-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd sandbox [-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S DESCRIPTION
Run the cmd application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox. If you have the policycoreutils-sandbox package installed, you can use the -X option and the -M option. sandbox -X allows you to run X applications within a sandbox. These applications will start up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories. If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels. -h --help display usage message -H --homedir Use alternate homedir to mount over your home directory. Defaults to temporary. Requires -X or -M. -i --include Copy this file into the appropriate temporary sandbox directory. Command can be repeated. -I --includefile Copy all files listed in inputfile into the appropriate temporary sandbox directories. -l --level Specify the MLS/MCS Security Level to run the sandbox with. Defaults to random. -M --mount Create a Sandbox with temporary files for $HOME and /tmp. -s --shred Shred temporary files created in $HOME and /tmp, before deleting. -t --type Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X. Examples: sandbox_t - No X, No Network Access, No Open, read/write on passed in file descriptors. sandbox_min_t - No Network Access sandbox_x_t - Printer Ports sandbox_web_t - Ports required for web browsing sandbox_net_t - All network ports -T --tmpdir Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. -S --session Run a full desktop session, Requires level, and home and tmpdir. -w --windowsize Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700. -W --windowmanager Select alternative window manager to run within sandbox -X. Default to /usr/bin/matchbox-window-manager. -X Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t -d --dpi Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI. -c --cgroups Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. -C --capabilities Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities. SEE ALSO
runcon(1), seunshare(8), selinux(8) AUTHOR
This manual page was written by Dan Walsh <> and Thomas Liu <> sandbox May 2010 SANDBOX(8)
Man Page