Running a sandboxed browser session with SELinux

This post was written on, and tested with, Fedora 30. Other distributions or releases might be a little different.

While plenty of users probably haven't used SELinux much, most will only know it as a security framework to prevent misbehaving apps and enforcing access control in Linux. If you get into the meat of it though, you can use its sweet security controls to do all sorts of Fun™ things.

Today I'm going to show you how to use SELinux to run a clean Firefox session in a sandbox.

The boring bits

SELinux is a maddeningly complex bit of technology. It's really powerful, boasts some really awesome design and is something you'll really want to learn if you want to up your security (or Linux) skills. That being said, the finer details of users, roles, types, sensitivities and categories are way beyond this post, and you don't really need to understand everything to get started!

Playing with your sandbox

The crucial command behind all of this is the sandbox command. On most SELinux-enabled systems (and certainly on Fedora), sandbox will be installed by default.

As the name implies sandbox is used to run any command in a fully user-controllable SELinux-enforced sandbox. This allows you to isolate commands/applications from the rest of your system and only grant specific permissions and capabilities. Even better, SELinux includes a handful of prebuilt sandbox types that allow access to certain critical resources.

After you install one dependency (policycoreutils-sandbox), you can even run X apps in an SELinux sandbox!

The good bit

With that context, out of the way, here's the magic command for running Firefox in an SELinux sandbox on Fedora:

sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox

This runs a sandbox with its own X server (-X), allows ports required for web browsing and general network access (-t sandbox_web_t and -t sandbox_net_t) and launches firefox in a 1280x1024 window (-w 1280x1024).

This will open up a new window with a completely clean instance of Firefox that is isolated from the rest of your processes by SELinux. Note that this also means you won't be able to access any of your files (including your Firefox profile) so you will get a completely fresh session every time.

Next steps

If you find this handy, you might want to try extending this to other apps that you use where you might want to test things in clean environments or are handling files you don't entirely trust. For example, here's how to open a report.pdf from my home directory in a sandboxed PDF viewer:

sandbox -X -w 1280x1024 -i ~/report.pdf evince report.pdf

Since these commands are unwieldy and the options are app-specific, I recommend setting up some aliases for anything you use often.

There's quite a few ways to achieve sandboxed X apps these days! If SELinux/sandbox isn't right for you, you might want to check out LXC/LXD, Docker (especially with subuser) or Podman.

Now go forth and sandbox all the things!

You should also be aware that sand is coarse and rough and irritating and it gets everywhere.