selinux/sandbox/seunshare.8

.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
.SH NAME
seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
.SH SYNOPSIS
.B seunshare
[ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
.br
.SH DESCRIPTION
.PP
Run the
.I executable
within the specified context, using custom home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.

.TP
\fB\-h homedir\fR
Alternate homedir to be used by the application. Homedir must be owned by the user
.TP
\fB\-t\ tmpdir
Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user
.TP
\fB\-r\ runuserdir
Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user
.TP
\fB\-C --capabilities\fR
Allow apps executed within the namespace to use capabilities. Default is no capabilities
.TP
\fB\-k --kill\fR
Kill all processes with matching MCS level
.TP
\fB\-Z\ context
Use alternate SELinux context while running the executable
.TP
\fB\-v\fR
Verbose output

.SH EXAMPLE
.nf
Run bash with temporary /home and /tmp directory
# USERHOMEDIR=`mktemp -d /tmp/home.XXXXXX`; USERTEMPDIR=`mktemp -d /tmp/temp.XXXXXX`
# seunshare -v -h ${USERHOMEDIR} -t ${USERTEMPDIR} -- /bin/bash

.SH "SEE ALSO"
.TP
runcon(1), sandbox(8), selinux(8)
.PP
.SH AUTHOR
This manual page was written by
.I Dan Walsh <dwalsh@redhat.com>
and
.I Thomas Liu <tliu@fedoraproject.org>
policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00			`.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"`
			`.SH NAME`
			`seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context`
			`.SH SYNOPSIS`
			`.B seunshare`
Remove handling of cgroups from sandbox It never worked correctly and this should be handled with an API to systemd going forward. 2014-05-12 17:19:20 +00:00			`[ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]`
policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00			`.br`
			`.SH DESCRIPTION`
			`.PP`
			`Run the`
			`.I executable`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00			`within the specified context, using custom home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.`
policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00
			`.TP`
			`\fB\-h homedir\fR`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00			`Alternate homedir to be used by the application. Homedir must be owned by the user`
policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00			`.TP`
			`\fB\-t\ tmpdir`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00			`Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user`
policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00			`.TP`
sandbox: Use temporary directory for XDG_RUNTIME_DIR XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files such as sockets, named pipes and so on. Therefore, it should not be available to sandboxed processes. Usage: # ls -a $XDG_RUNTIME_DIR . .. bus pipewire-0 systemd # sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR" . .. Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Acked-by: James Carter <jwcart2@gmail.com> 2022-10-13 13:23:12 +00:00			`\fB\-r\ runuserdir`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00			`Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user`
sandbox: Use temporary directory for XDG_RUNTIME_DIR XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files such as sockets, named pipes and so on. Therefore, it should not be available to sandboxed processes. Usage: # ls -a $XDG_RUNTIME_DIR . .. bus pipewire-0 systemd # sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR" . .. Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Acked-by: James Carter <jwcart2@gmail.com> 2022-10-13 13:23:12 +00:00			`.TP`
policycoreutils: sandbox: add -C option to not drop all capabilities Some sandbox might want to be able to run a suid app. Add the -C option to allow capabilities to stay in the bounding set, and thus be allowed inside the sandbox. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-06-13 17:24:38 +00:00			`\fB\-C --capabilities\fR`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00			`Allow apps executed within the namespace to use capabilities. Default is no capabilities`
policycoreutils: sandbox: add -C option to not drop all capabilities Some sandbox might want to be able to run a suid app. Add the -C option to allow capabilities to stay in the bounding set, and thus be allowed inside the sandbox. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-06-13 17:24:38 +00:00			`.TP`
policycoreutils: sandbox: add level based kill option add kill option to seunshare to kill all processes that are still running with the execcon MCS label. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-07-07 00:22:26 +00:00			`\fB\-k --kill\fR`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00			`Kill all processes with matching MCS level`
policycoreutils: sandbox: add level based kill option add kill option to seunshare to kill all processes that are still running with the execcon MCS label. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-07-07 00:22:26 +00:00			`.TP`
policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00			`\fB\-Z\ context`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00			`Use alternate SELinux context while running the executable`
policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00			`.TP`
			`\fB\-v\fR`
			`Verbose output`
sandbox: Add examples to man pages While at it, remove trailing whitespaces. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> 2023-06-01 14:39:13 +00:00
			`.SH EXAMPLE`
			`.nf`
			`Run bash with temporary /home and /tmp directory`
			# USERHOMEDIR=`mktemp -d /tmp/home.XXXXXX`; USERTEMPDIR=`mktemp -d /tmp/temp.XXXXXX`
			`# seunshare -v -h ${USERHOMEDIR} -t ${USERTEMPDIR} -- /bin/bash`

policycoreutils: sandbox: Makefile: new man pages we have man pages which aren't being instelled with make install. We also do not include -Werror -Wall -Wextra in the build like we do with other packages, so include those. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com> 2011-08-15 17:56:02 +00:00			`.SH "SEE ALSO"`
			`.TP`
			`runcon(1), sandbox(8), selinux(8)`
			`.PP`
			`.SH AUTHOR`
			`This manual page was written by`
			`.I Dan Walsh <dwalsh@redhat.com>`
			`and`
			`.I Thomas Liu <tliu@fedoraproject.org>`