Fedora 12 demonstrates sandbox for desktop applications

Security-Enhanced Linux (SELinux) specialist at RedHat developer Dan Walsh (not from Americas Most Wanted) has souped up the security mechanisms in Fedora and SELinux by adding a desktop sandbox which he’s calling “sandbox -X”. Users can run desktop applications of their choice inside his sandbox, which then protects the underlying system from any posible damage.

SELinux extends the standard Unix privilegs concept to add a role-based privilege model which, in principal, allows a user to forbid a PDF viewer from, for example, sending email. Currently, however, SELinux is mainly used to wall off server services.

Dan Walsh is now looking to change this and has designed a desktop sandbox. This can, for example, be used to run Firefox in an isolated environment, consisting of temporary directories, a unique X server instance – forwhich he uses Xephr – and a special profile which defines the revelent privileges. Currently this must be called manually.

sandbox -X -t sandbox_web_t firefox

Sandbox -X is already in Fedora 12 (+OneMillion for Fedora), scheduled for a November release, so interested users can already have a play. It is likely to be a while before it becomes genuinely user-friendly, with the sandbox currently forgetting all user settings each time it is run and also being unable to copy and paste into the host system.

Looks to be some amazing software for the security conscious Fedora user.