Introducing SELinux sandbox, confining untrusted binaries

jason

Eric Paris of the SELinux project announced the creation of the SELinux sandbox, a method to confine untrusted binaries on the LKML today.

The idea is to allow administrators to lock down tightly untrusted applications in a sandbox where they can not use the network and open/create any file that is not handed to the process. Can be used to protect a system while allowing it to run some untrusted binary.

This definitely appears to be an interesting new development for SELinux. A great place to run suspect code or maybe even windows binaries via WINE.
I’ve used SELinux a little bit in the past, but usually found it incredibly complex to learn for the basic home network uses I wanted to have it for. This new feature may get me to put some real effort towards actually making the leap and committing myself to learn how to properly implement and use it.
Related books:

  • SELinux by Example by Frank Mayer, David Caplan, and Karl MacMillan, published by Prentice Hall
  • SELinux by Bill McCarty, published by O’Reilly & Associates
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Tags: , ,

This entry was posted on Tuesday, May 26th, 2009 at 3:09 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply