149afc688a
Some sandbox might want to be able to run a suid app. Add the -C option to allow capabilities to stay in the bounding set, and thus be allowed inside the sandbox. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
40 lines
1.4 KiB
Groff
40 lines
1.4 KiB
Groff
.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
|
|
.SH NAME
|
|
seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
|
|
.SH SYNOPSIS
|
|
.B seunshare
|
|
[ -v ] [ -c ] [ -C ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
|
|
.br
|
|
.SH DESCRIPTION
|
|
.PP
|
|
Run the
|
|
.I executable
|
|
within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
|
|
|
|
.TP
|
|
\fB\-h homedir\fR
|
|
Alternate homedir to be used by the application. Homedir must be owned by the user.
|
|
.TP
|
|
\fB\-t\ tmpdir
|
|
Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user.
|
|
.TP
|
|
\fB\-c --cgroups\fR
|
|
Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
|
|
.TP
|
|
\fB\-C --capabilities\fR
|
|
Allow apps executed within the namespace to use capabilities. Default is no capabilities.
|
|
.TP
|
|
\fB\-Z\ context
|
|
Use alternate SELinux context while runing the executable.
|
|
.TP
|
|
\fB\-v\fR
|
|
Verbose output
|
|
.SH "SEE ALSO"
|
|
.TP
|
|
runcon(1), sandbox(8), selinux(8)
|
|
.PP
|
|
.SH AUTHOR
|
|
This manual page was written by
|
|
.I Dan Walsh <dwalsh@redhat.com>
|
|
and
|
|
.I Thomas Liu <tliu@fedoraproject.org>
|