BOSTON. SELinux is a great way to limit the access rights/roles on a Linux machine.
But how do you limit CPU or memory usage of a given application? Red Hat engineer Dan Walsh (pic left) has a solution that he calls SELinux Sandbox which he demoed at the LinuxCon conference today.
Walsh stressed that he’s not trying to replace virtualization with SELinux sandboxing, but he is trying to create an easier way to isolate and control applications.
There are alot of people (myself included) that have often struggled with SELinux and its permission system. For those types of users, Walsh has an option too called SEunshare which will enable a user to setup sandboxed without running with full SELinux control.
The effort still isn’t complete baked yet from what I saw, but the potential is nothing short of awesome for total Linux security. Any application or even a document could be isolated and ‘sandboxed’ create an ultra-hygenic environment for computing.
Yes you can do a degree of sanboxing with virtual machines today, but Walsh’s approach is faster, more efficient and likely more flexible too.