Can you just confine the Java interpreter itself or can you confine the Java *.jar package?
Confining the interpreter is not a good idea IMHO - that would be like confining bash or perl, which is a) not a good idea, b) can break other users of $interpreter or c) you'll need a profile that allows everything every user of $interpreter needs - which means you won't have many restrictions left.
I'm not aware of a way to confine a *.jar (but, see above, I don't know much about Java).
I solved it now this way, created a small wrapper script java-foo.sh with this content: #!/bin/sh java -jar /bin/foo.jar then I confined the wrapper script java-foo.sh. Works well and has the advantage to have a profile for every individual *.jar package. As a basis I used abstractions/ubuntu-browsers.d/java and built a profile upon this abstraction. Works like a charm. I just don´t know yet how to handle links in AA. I added /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/bin/java rix, to my profile, because I wasn´t able to confine the link /usr/bin/java Still need to learn proper link handling in AA...