Re: FC4T1: Firefox & Java

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2005-04-03 at 19:54 -0700, Anthony Green wrote:
> On Sun, 2005-04-03 at 21:29 +0200, Roger Grosswiler wrote:
> > Since there is a kind of Java-Support with GCJ in FC4T1,shouldn't we 
> > better use this??? If yes, how to?
> 
> See gcjwebplugin:  http://www.nongnu.org/gcjwebplugin/
> 
> The big problem with this today is that gcj has known problems with its
> sandbox security implementation.  We need to fix those problems and do a
> full audit of libgcj before it makes sense to package gcjwebplugin.
> 
> I'm not fully aware of SELinux's capabilities yet, but I wonder if it's
> possible to sandbox our current libgcj for gcjwebplugin by writing
> strict SELinux policy.  Does anybody know?

Depends on the desired granularity of protection and the extent to which
the current architecture uses separate processes and exec-based
transitions (although the latter is less of a constraint now that
SELinux supports dynamic context transitions, I suppose).

Ultimately, you want a SELinux-aware jvm that uses the SELinux API to
get policy decisions and apply them to its internal resources for finer-
grained control as well as using the SELinux kernel controls to confine
the entire process.
 
-- 
Stephen Smalley <sds@xxxxxxxxxxxxx>
National Security Agency


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]