Running Firefox Inside an SELinux Sandbox

Running Firefox inside an SELinux sandbox will add a layer of security against browser based attacks.  Any processes or sub-processes are restricted within the SELinux Sandbox.

This works with Fedora and CentOS 6.4 (Redhat).  It only sometimes works with CentOS 6.3 (not sure why).

First we need to install a few things.

yum install -y policycoreutils.x86_64 policycoreutils-gui.x86_64 policycoreutils-newrole.x86_64 policycoreutils-python.x86_64 policycoreutils-sandbox.x86_64 policycoreutils-python

Make these directories (in your home dir):

mkdir -p setmp/sehome mkdir -p setmp/tmp

Add this to a file in your home directory called "sefirefox" and change permissions on it to "755":

sandbox -X -H setmp/sehome -T setmp/tmp -t sandbox_web_t firefox

Firefox can now be run from inside an SELinux sandbox by typing:

./sefirefox

© Copyright 2013