summaryrefslogtreecommitdiff
blob: 7b7f5fed4c4c668a579e95cc4860fbef0bf8ee38 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#
# This file is for the declaration of global tunables.
# To change the default value at build time, the booleans.conf
# file should be used.
#

## <desc>
## <p>
## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execheap,false)

## <desc>
## <p>
## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
## </p>
## </desc>
gen_tunable(allow_execmem,false)

## <desc>
## <p>
## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
## </p>
## </desc>
gen_tunable(allow_execmod,false)

## <desc>
## <p>
## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
## </p>
## </desc>
gen_tunable(allow_execstack,false)

## <desc>
## <p>
## Allow raw memory device (/dev/mem, /dev/kmem, /dev/mergemem,
## dev/oldmem, /dev/port) access for confined executables.  This is
## extremely dangerous as it can bypass the SELinux protections, and
## should only be used by trusted domains.
## </p>
## </desc>
gen_tunable(allow_raw_memory_access,false)

## <desc>
## <p>
## Enable polyinstantiated directory support.
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)

## <desc>
## <p>
## Allow system to run with NIS
## </p>
## </desc>
gen_tunable(allow_ypbind,false)

## <desc>
## <p>
## Allow logging in and using the system from /dev/console.
## </p>
## </desc>
gen_tunable(console_login,true)

## <desc>
## <p>
## Enable reading of urandom for all domains.
## </p>
## <p>
## This should be enabled when all programs
## are compiled with ProPolice/SSP
## stack smashing protection.  All domains will
## be allowed to read from /dev/urandom.
## </p>
## </desc>
gen_tunable(global_ssp,false)

## <desc>
## <p>
## Allow email client to various content.
## nfs, samba, removable devices, and user temp
## files
## </p>
## </desc>
gen_tunable(mail_read_content,false)

## <desc>
## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_rw,false)

## <desc>
## <p>
## Allow any files/directories to be exported read/only via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_ro,false)

## <desc>
## <p>
## Support NFS home directories
## </p>
## </desc>
gen_tunable(use_nfs_home_dirs,false)

## <desc>
## <p>
## Support SAMBA home directories
## </p>
## </desc>
gen_tunable(use_samba_home_dirs,false)

## <desc>
## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users)  disabling this forces FTP passive mode
## and may change other protocols.
## </p>
## </desc>
gen_tunable(user_tcp_server,false)

## <desc>
## <p>
## Allow users to run UDP servers (bind to ports and accept connection from
## the same domain and outside users)
## </p>
## </desc>
gen_tunable(user_udp_server,false)