selinux sandbox

This is the second in a series of blogs arising from security discussions in my LUG. This month we covered selinux and here I will show some examples of using the selinux sandbox.

Dan Walsh explains a selinux sandbox Introducing the SELinux Sandbox .

Many people first encounter sandbox when they find multiple mounts, see this discussion on the Fedora Forums.

Rather then turning this feature off, I would like to give examples of how to use it on a desktop with graphical applications such as a browser or pdf reader.

Sandbox uses Xephyr for graphical applications and although you can not resize a Xepher window, you can specify the size of the window and you can run a window manager within Xephyr.


Evince is a straight forward application to use with sandbox and you can open a PDF with

sandbox -X evince 1782.pdf &

The -X flag allows sandbox to use Xephyr.


I am going to use midori first as for me it works out of the box and is a fast browser.

sandbox -t sandbox_web_t -w 1672x968 -X midori &

Here we added the -t to specify a selinux type to allow web access and the -w to specify a Xepher window size.

We can also add the midori configuration file.

sandbox -t sandbox_web_t -i /home/bodhi/.config/midori -w 1366x768 -X midori &

The -i flag includes the specified file or directory in the selinux sandbox. Be sure to use the full path.


Firefox is a much larger and more complex application and many people will use a variety of extensions and personas. I had a problem with firefox and Xephyr would open in a black screen, obviously some complex interaction between firefox, Xephyr, and sandbox, but am able to work around this by specifying a window manager.

First, create a new firefox profile to be used in the sandbox.

firefox -P

In the dialog box I created a profile named “sandbox”.

Next, run the new profile and customize it. Installed NoScript , adblock, a persona, and customized history and cookie settings the way I wanted.

Finally, start the sandbox with multiple -i (includes) and specifying the (sandbox) profile.

sandbox -X -t sandbox_web_t \

-i /home/bodhi/.mozilla/extensions \

-i /home/bodhi/.mozilla/plugins \

-i /home/bodhi/.mozilla/firefox/xxq3n2ci.sandbox \

-i /home/bodhi/.mozilla/firefox/profiles.ini \

-w 1366x768 -W fluxbox \

/usr/bin/firefox -P /usr/bin/sandbox &

The -i includes the specified files or directories in the sandbox and the -W specifies to use fluxbox as the window manager. Openbox also works as an alternate to fluxbox.

If you then look, your other profile, presumably containing things like passwords, is NOT in the sandbox. Open your mozilla directory in your browser


Use a script in ~/bin and create a launcher to use the sandbox. I call it sandfox.


sandbox -X -t sandbox_web_t \

-i /home/bodhi/.mozilla/extensions \

-i /home/bodhi/.mozilla/plugins \

-i /home/bodhi/.mozilla/firefox/xxq3n2ci.sandbox \

-i /home/bodhi/.mozilla/firefox/profiles.ini \

-w 1366x768 -W fluxbox \

/usr/bin/firefox -P /usr/bin/sandbox &

You can now create a launcher for sandfox.

Copy and paste to your sandox

This blog was the resource I found to add copy-paste functionality to sandfox and contains additional tips.

Here we make the use of xsel and two scripts to copy and paste into the sandbox. The key is to know what X server is which.

To see your Desktop X session



Here my desktop is on :4 as this is a shared computer and more then one user is logged in.

For firefox, open he file called “seremote” in your sandboxed home directory. Under File -> Open file in the firefox menu.

setsb copies selected text from your Desktop session to the Xephyr clipboard, paste by pushing the mouse wheel down.



xsel -p -o | xsel --display $screen -p -i

getsb copies selected text from your Xephyr session to your Desktop clipboard, paste by pushing the mouse wheel down.



xsel --display $screen -p -o | xsel -p -i


setsb :4

getsb :6

This entry was posted in Linux and tagged , , . Bookmark the permalink.

5 Responses to selinux sandbox

  1. Pingback: Firefox in einer SELinux Sandbox ausführen »

  2. dave says:

    very useful sanbox blog. thanks!

  3. Graphility says:

    Thanks mate for all your shared informations so far – keep up the good work! Is there any chance to set the sandbox bash-command for evince for example as standard for opening all pdfs? Would really appreciate an answer! Wish y’all a nice day!

  4. Hannes says:

    Thanks a lot for all ya shared information! What about sandboxing “xdg-open” so that all programmes are being executed in a sandbox?


  5. bodhi.zazen says:

    @Graphility – You would write a custom launcher, how to do that varies slightly between the various desktops

Leave a Reply

Your email address will not be published. Required fields are marked *