gpg avc

[Russell Coker]

On Wed, 21 Apr 2004 12:49, Colin Walters <walters at redhat.com> wrote:
> I presume by the way there's a reason access to random_device_t is was
> originally denied - it prevents users from draining your good entropy by
> generating a ton of keys. On the other hand, if you have GPG installed

Actually when I gave different types to /dev/random and /dev/urandom we just 
sorted out which access each program seemed to need.  At the time GPG didn't 
seem to want /dev/random access.  If it wants it then it should get it.

> Maybe the right way is a resource constraint framework.  Anyways, do
> people think this is worth being made into a tunable or something?

I think that a resource constraint framework for entropy would be useful.  
However there are other ways of attacking the problem.

It seems that every desktop, laptop, and PDA shipped in the last few years has 
sound hardware.  The microphone that's built in to many machines can be used 
as a source of entropy, and even an unconnected line-in if sampled at 16bit 
will do reasonably well.  There is already policy 
for /usr/sbin/audio-entropyd to use this, if we get this packaged then maybe 
it would be the best solution to the problem?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page