Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?

To: Richard Atterer <richard@list04.atterer.net>, debian-devel@lists.debian.org
Subject: Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
From: Magosányi Árpád <mag@bunuel.tii.matav.hu>
Date: Sun, 4 Jan 2004 19:42:53 +0000
Message-id: <[🔎] 20040104194253.GA15389@bunuel.tii.matav.hu>
In-reply-to: <[🔎] 20040104130152.GC32523@nenya.lan>
References: <200312181128.NAA12752@home.ntrl.net> <[🔎] 200401042231.40765.russell@coker.com.au> <[🔎] 20040104115924.GA8139@steve.org.uk> <[🔎] 200401042304.16073.russell@coker.com.au> <[🔎] 20040104130152.GC32523@nenya.lan>

A levelezőm azt hiszi, hogy Richard Atterer a következőeket írta:
> Define "not important for security". ;-)
> 
> Honestly, I can't see a reason not to allow every program to use 
> /dev/_u_random. SE Linux's default policy of disallowing everything by 
> default is a Good Thing, but cannot be an argument against enabling 
> something that would greatly improve overall system security.


It is also my opinion.

If we are low on entropy, there are several things that can help:
-an "entropy friendly" /dev/?random for "not so important for security"
 programs[1].
-a way to use the proper random source based on policy. This means
 polyinstantiation support (like the "symlink add RC role" feature
 of rsbac. BTW how to achieve this with selinux?).
-a good hot cup of tee.

[1] At least there is a way to define in the filesystem namespace
object "very important for security". It is commonly called TCB (trusted
computing base), and it is something like the set of trusted binaries,
plus anything they need (libs, devs, etc.)

-- 
GNU GPL: csak tiszta forrásból

Reply to:

Follow-Ups:
- Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: John Hasler <john@dhh.gt.org>
- Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Russell Coker <russell@coker.com.au>

References:
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Russell Coker <russell@coker.com.au>
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Steve Kemp <skx@debian.org>
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Russell Coker <russell@coker.com.au>
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Richard Atterer <richard@list04.atterer.net>

Prev by Date: Re: python again
Next by Date: Re: Re: MIA, Incompetent and holiday-loving maintainers (was: Request for NMUs.)
Previous by thread: Re: SSP for Debian unstable. was Re: security enhanced debian branch?
Next by thread: Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
Index(es):
- Date
- Thread