Bug 818312

Summary: sandbox man uncomplete
Product: [Fedora] Fedora Reporter: Fl@sh <alex.mail.1534>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: alpha, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-05 07:43:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fl@sh 2012-05-02 17:54:57 UTC
Description of problem:
Sandbox man uncomplete. 
Please add the description of sandbox_web_t option into man pages of sandbox command.

Version-Release number of selected component (if applicable):
policycoreutils-sandbox-2.1.11-6.fc17.x86_64

How reproducible:
man sandbox, sandbox --help

Steps to Reproduce:
1.
2.
3.
  
Actual results:
-t type
 Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.

Expected results:
-t type
 Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X
   and sandbox_web_t for network

Additional info:

Comment 1 Daniel Walsh 2012-05-02 18:45:30 UTC
We actually have additional sandbox types.

 seinfo  -asandbox_x_domain -x | grep -v client
   sandbox_x_domain
      sandbox_x_t
      sandbox_min_t
      sandbox_net_t
      sandbox_web_t

But this documentation is just talking about the default.        
      sandbox_min_t
      sandbox_net_t
      sandbox_web_t

Are not defaults.  Also it is possible for the user to build additional types.

Comment 2 Aleksandra Fedorova 2012-05-02 20:39:29 UTC
> sandbox_min_t
> sandbox_net_t
> sandbox_web_t
> Are not defaults. 

If I understand correctly they are not used by default, but they are available by default, because they implement very common scenarios. Which makes them rather special and worth mentioning somewhere.

And since this sandbox tool should be used by end-user, who would never guess to run something like
 seinfo  -asandbox_x_domain -x | grep -v client
I think it is important to make this information as clear as possible.

Right now the best info brief googling gives me is the slide №14 of this pdf-file http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/sandbox.pdf, which doesn't seem like proper way to give the docs.

If man pages are not the right place for such details, may be one could create Fedora wiki page with this info?

Though I'd vote for adding smth like this to the man page:

= 1 variant =

-t type
    Use alternate sandbox type. Defaults to sandbox_t or sandbox_x_t for -X.
    Other predefined types are: 
      sandbox_min_t - minimal,
      sandbox_web_t - allows access to http ports,
      sandbox_net_t - allows access to all network ports.
    To see the full list run
      seinfo  -asandbox_x_domain -x | grep -v client

====================================

or 

= 2 variant =

-t type
    Use alternate sandbox type. Defaults to sandbox_t or sandbox_x_t for -X.
....

EXAMPLES

  To allow http-access use predefined sandbox_web_t type:
    sandbox -X -t sandbox_web_t firefox
 To .... sandbox_min_t type:
 To .... sandbox_web_t type:
===========================================

or

= 3: docs on default sandbox types and how to create them? =

-t type
    Use alternate sandbox type. Defaults to sandbox_t or sandbox_x_t for -X.
    See <link> for details.

============================================================

Comment 3 Daniel Walsh 2012-05-03 14:59:58 UTC
How about:

       -t type
              Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t
              for -X.

              Examples:
              sandbox_t -    No  X,  No Network Access, No Open, read/write on
              passed in file descriptors.
              sandbox_min_t  -    No Network Access
              sandbox_x_t    -    Printer Ports
              sandbox_web_t  -    Ports required for web browsing
              sandbox_net_t  -    All network ports

Comment 4 Aleksandra Fedorova 2012-05-03 18:47:15 UTC
Yes, this is even better. Thanks.

Comment 5 Daniel Walsh 2012-05-04 11:02:40 UTC
I have this fix in policycoreutils-2.1.11-11.fc18

I will back port next time I cut an F17 update.

Fixed in policycoreutils-2.1.11-11.fc17