On 08/02/2014 05:57 AM, Robert Horovitz wrote:
Why is libcap-ng not postponed until #1103622 is fixed? (which probably won't be tomorrow)
Over a month later sandboxes are still broken.
Will this be fixed sometime this year or is the SELinux sandbox feature dead for real?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
There is a change to the kernel that is making its way upstream that should allow us to fix the feature.
Basically right now, a file to libaudit forces us to turn off the ability for the sandboxed apps to run setuid programs, this also causes the kernel to prevent SELinux from execute/transition. We have a patch to the kernel that will allow processes to execute/transition to a different domain even if setuid is blocked, IFF the app is allowed to transition internally.
Once this is enabled we can change the policy to allow transitioning to work again.