On Tue, Jun 09, 2020 at 09:02:08AM -0400, Stephen Smalley wrote: > On Tue, Jun 9, 2020 at 4:05 AM Cristian Ariza wrote: > > > > $ sandbox -H sandbox/home -T sandbox/tmp -S > > > > shows a few Gtk warnings (which I am assuming means Gnome loaded > > somewhere) but no window opens. In the man page I can't find much > > information about how sandbox -S actually works so not sure if I am > > missing something or it's just a bug. > > > > I am using Fedora 32 with Gnome. Do you use X session or Wayland? Anyway, -S uses gdm, gdm depends on systemd and dbus, and this is blocked by policy. But gdm session in sandbox doesn't work for me in permissive mode neither so it seems to be completely broken. On the other hand you should be able to run a specific application like firefox: $ sandbox -t sandbox_web_t -H sandbox/home -T sandbox/tmp -w 1920x1048 -X firefox > You are using sandbox as packaged by Fedora in > policycoreutils-sandbox? If so, please file a bug against their > package. > To be honest, I don't use sandbox myself and I am not sure it is being > very well maintained these days. It was originally created by Red > Hat. > It seems like it has been OBE by other efforts to sandbox apps on > Linux e.g. flatpak or snaps although I don't know that any of those > are leveraging SELinux. I'd be tempted to remove it upstream unless > it is getting proper care and feeding. > I'd actually agree to move sandbox and seunshare out of SELinuxProject/selinux repo. If it's maitained as an independet project it could also ship and install it's own policy, has it's release cycle or just die. Btw few years ago I wrote support for bubblewrap in sandbox so it's uses it instead of seunshare [1] but I haven't finished it and sent for review. https://github.com/bachradsusi/SELinuxProject-selinux/commit/5158ea1f552fc098647d4c503f646bdcb6d0737f Petr