Bug 818312
Summary: | sandbox man uncomplete | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Fl@sh <alex.mail.1534> |
Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | alpha, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | noarch | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-05 07:43:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Fl@sh
2012-05-02 17:54:57 UTC
We actually have additional sandbox types. seinfo -asandbox_x_domain -x | grep -v client sandbox_x_domain sandbox_x_t sandbox_min_t sandbox_net_t sandbox_web_t But this documentation is just talking about the default. sandbox_min_t sandbox_net_t sandbox_web_t Are not defaults. Also it is possible for the user to build additional types. > sandbox_min_t > sandbox_net_t > sandbox_web_t > Are not defaults. If I understand correctly they are not used by default, but they are available by default, because they implement very common scenarios. Which makes them rather special and worth mentioning somewhere. And since this sandbox tool should be used by end-user, who would never guess to run something like seinfo -asandbox_x_domain -x | grep -v client I think it is important to make this information as clear as possible. Right now the best info brief googling gives me is the slide №14 of this pdf-file http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/sandbox.pdf, which doesn't seem like proper way to give the docs. If man pages are not the right place for such details, may be one could create Fedora wiki page with this info? Though I'd vote for adding smth like this to the man page: = 1 variant = -t type Use alternate sandbox type. Defaults to sandbox_t or sandbox_x_t for -X. Other predefined types are: sandbox_min_t - minimal, sandbox_web_t - allows access to http ports, sandbox_net_t - allows access to all network ports. To see the full list run seinfo -asandbox_x_domain -x | grep -v client ==================================== or = 2 variant = -t type Use alternate sandbox type. Defaults to sandbox_t or sandbox_x_t for -X. .... EXAMPLES To allow http-access use predefined sandbox_web_t type: sandbox -X -t sandbox_web_t firefox To .... sandbox_min_t type: To .... sandbox_web_t type: =========================================== or = 3: docs on default sandbox types and how to create them? = -t type Use alternate sandbox type. Defaults to sandbox_t or sandbox_x_t for -X. See <link> for details. ============================================================ How about: -t type Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X. Examples: sandbox_t - No X, No Network Access, No Open, read/write on passed in file descriptors. sandbox_min_t - No Network Access sandbox_x_t - Printer Ports sandbox_web_t - Ports required for web browsing sandbox_net_t - All network ports Yes, this is even better. Thanks. I have this fix in policycoreutils-2.1.11-11.fc18 I will back port next time I cut an F17 update. Fixed in policycoreutils-2.1.11-11.fc17 |