Feedback on Java applet functionality?
Roland McGrath
roland at redhat.com
Fri Aug 11 20:55:12 UTC 2006
> On Friday 11 August 2006 16:29, Andrew Haley wrote:
> > No. It requires execmem because it really needs it.
>
> Then it really needs to be fixed. We're trying to ship with disallowing
> execmem because its the right thing to do.
It sure isn't the "targeted" thing to do. I haven't heard the rationale
for *any* SELinux checks on the "unconfined" world. I know well the
rationale for why no program should want to do that, blah blah blah.
No program should want to make world-writable files either, but they can.
I just don't comprehend how the "targeted policy" includes any constraints
on what an "untargeted" process can do to itself.
I'm all for good support for strict policy in applications, including
finding the best ways for JIT-using applications to be marked appropriately
without requiring constant hassle for each application's developer or packager.
But that is neither here nor there (well maybe it's there, but it's not here).
The whole idea of the "targeted" policy is that it won't break your stuff
that worked without SELinux. It only affects particular applications and
files that are in the "targeted" list. If it weren't an important
requirement that people's existing, unlabeled applications of all sorts
keep working without new SELinux-specific effort, then everyone would be
happy to use a strict policy.
Thanks,
Roland
More information about the devel
mailing list