For using the SELinux sandbox types (sandbox_*_t) with bwrap (instead of having to use the very limited suid seunshare). This is a very lightweight, yet powerful, sandboxing mechanism (without suid binaries).
bwrap-sandbox is SELinux's sandbox modified to use bwrap (with the SELinux module described below), instead of seunshare.
This make things possible like:
$ bwrap --dev-bind / / --bind /etc/hostname /etc/passwd ./bwrap-sandbox -t sandbox_min_t sh -i
/etc/passwd now contains the hostname (due to the bwrap bind).
sh-5.0$ cat /etc/passwd
marius-latitude
/mnt/ can't be accessed, per the SELinux restrictions on sandbox_min_t.
sh-5.0$ ls /mnt/
ls: cannot open directory '/mnt/': Permission denied
Run bwrap-sandbox with a read-only /:
bwrap --ro-bind / / --proc /proc --bind /sys /sys bwrap-sandbox -t sandbox_web_t touch /
/usr/bin/touch: setting times of '/': Read-only file system
Run semodule -i ./bwrap-selinux-sandbox/bwrap-selinux-sandbox.pp as root.
The module can be removed using semodule -r bwrap-selinux-sandbox.
bwrap-sandbox can be used as a drop-in replacement for SELinux's sandbox.
Use make in bwrap-selinux-sandbox/ to build the SELinux module.