[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?

A levelezőm azt hiszi, hogy Richard Atterer a következőeket írta:
> Define "not important for security". ;-)
> Honestly, I can't see a reason not to allow every program to use 
> /dev/_u_random. SE Linux's default policy of disallowing everything by 
> default is a Good Thing, but cannot be an argument against enabling 
> something that would greatly improve overall system security.

It is also my opinion.

If we are low on entropy, there are several things that can help:
-an "entropy friendly" /dev/?random for "not so important for security"
-a way to use the proper random source based on policy. This means
 polyinstantiation support (like the "symlink add RC role" feature
 of rsbac. BTW how to achieve this with selinux?).
-a good hot cup of tee.

[1] At least there is a way to define in the filesystem namespace
object "very important for security". It is commonly called TCB (trusted
computing base), and it is something like the set of trusted binaries,
plus anything they need (libs, devs, etc.)

GNU GPL: csak tiszta forrásból

Reply to: