[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Feedback on Java applet functionality?

> On Friday 11 August 2006 16:29, Andrew Haley wrote:
> > No.  It requires execmem because it really needs it.
> Then it really needs to be fixed.  We're trying to ship with disallowing 
> execmem because its the right thing to do.

It sure isn't the "targeted" thing to do.  I haven't heard the rationale
for *any* SELinux checks on the "unconfined" world.  I know well the
rationale for why no program should want to do that, blah blah blah.
No program should want to make world-writable files either, but they can.
I just don't comprehend how the "targeted policy" includes any constraints
on what an "untargeted" process can do to itself.  

I'm all for good support for strict policy in applications, including
finding the best ways for JIT-using applications to be marked appropriately
without requiring constant hassle for each application's developer or packager.
But that is neither here nor there (well maybe it's there, but it's not here).

The whole idea of the "targeted" policy is that it won't break your stuff
that worked without SELinux.  It only affects particular applications and
files that are in the "targeted" list.  If it weren't an important
requirement that people's existing, unlabeled applications of all sorts
keep working without new SELinux-specific effort, then everyone would be
happy to use a strict policy.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]