policy/global_tunables

   1 #
   2 # This file is for the declaration of global tunables.
   3 # To change the default value at build time, the booleans.conf
   4 # file should be used.
   5 #
   6
   7 ########################################
   8 #
   9 # Common tunables
  10 #
  11
  12 ## <desc>
  13 ## <p>
  14 ## Allow cvs daemon to read shadow
  15 ## </p>
  16 ## </desc>
  17 #
  18 gen_tunable(allow_cvs_read_shadow,false)
  19
  20 ## <desc>
  21 ## <p>
  22 ## Allow zebra daemon to write it configuration files
  23 ## </p>
  24 ## </desc>
  25 #
  26 gen_tunable(allow_zebra_write_config,false)
  27
  28 ## <desc>
  29 ## <p>
  30 ## Allow making the heap executable.
  31 ## </p>
  32 ## </desc>
  33 gen_tunable(allow_execheap,false)
  34
  35 ## <desc>
  36 ## <p>
  37 ## Allow making anonymous memory executable, e.g.
  38 ## for runtime-code generation or executable stack.
  39 ## </p>
  40 ## </desc>
  41 gen_tunable(allow_execmem,false)
  42
  43 ## <desc>
  44 ## <p>
  45 ## Allow making a modified private file
  46 ## mapping executable (text relocation).
  47 ## </p>
  48 ## </desc>
  49 gen_tunable(allow_execmod,false)
  50
  51 ## <desc>
  52 ## <p>
  53 ## Allow making the stack executable via mprotect.
  54 ## Also requires allow_execmem.
  55 ## </p>
  56 ## </desc>
  57 gen_tunable(allow_execstack,false)
  58
  59 ## <desc>
  60 ## <p>
  61 ## Allow ftp servers to modify public files
  62 ## used for public file transfer services.
  63 ## </p>
  64 ## </desc>
  65 gen_tunable(allow_ftpd_anon_write,false)
  66
  67 ## <desc>
  68 ## <p>
  69 ## Allow ftp servers to use cifs
  70 ## used for public file transfer services.
  71 ## </p>
  72 ## </desc>
  73 gen_tunable(allow_ftpd_use_cifs,false)
  74
  75 ## <desc>
  76 ## <p>
  77 ## Allow ftp servers to use nfs
  78 ## used for public file transfer services.
  79 ## </p>
  80 ## </desc>
  81 gen_tunable(allow_ftpd_use_nfs,false)
  82
  83 ## <desc>
  84 ## <p>
  85 ## Allow gssd to read temp directory.
  86 ## </p>
  87 ## </desc>
  88 gen_tunable(allow_gssd_read_tmp,true)
  89
  90 ## <desc>
  91 ## <p>
  92 ## Allow Apache to modify public files
  93 ## used for public file transfer services.
  94 ## </p>
  95 ## </desc>
  96 gen_tunable(allow_httpd_anon_write,false)
  97
  98 ## <desc>
  99 ## <p>
 100 ## Allow Apache to use mod_auth_pam
 101 ## </p>
 102 ## </desc>
 103 gen_tunable(allow_httpd_mod_auth_pam,false)
 104
 105 ## <desc>
 106 ## <p>
 107 ## Allow java executable stack
 108 ## </p>
 109 ## </desc>
 110 gen_tunable(allow_java_execstack,false)
 111
 112 ## <desc>
 113 ## <p>
 114 ## Allow system to run with kerberos
 115 ## </p>
 116 ## </desc>
 117 gen_tunable(allow_kerberos,false)
 118
 119 ## <desc>
 120 ## <p>
 121 ## Allow nfs servers to modify public files
 122 ## used for public file transfer services.
 123 ## </p>
 124 ## </desc>
 125 gen_tunable(allow_nfsd_anon_write,false)
 126
 127 ## <desc>
 128 ## <p>
 129 ## Allow rsync to modify public files
 130 ## used for public file transfer services.
 131 ## </p>
 132 ## </desc>
 133 gen_tunable(allow_rsync_anon_write,false)
 134
 135 ## <desc>
 136 ## <p>
 137 ## Allow sasl to read shadow
 138 ## </p>
 139 ## </desc>
 140 gen_tunable(allow_saslauthd_read_shadow,false)
 141
 142 ## <desc>
 143 ## <p>
 144 ## Allow samba to modify public files
 145 ## used for public file transfer services.
 146 ## </p>
 147 ## </desc>
 148 gen_tunable(allow_smbd_anon_write,false)
 149
 150
 151 ## <desc>
 152 ## <p>
 153 ## Allow system to run with NIS
 154 ## </p>
 155 ## </desc>
 156 gen_tunable(allow_ypbind,false)
 157
 158 ## <desc>
 159 ## <p>
 160 ## Enable extra rules in the cron domain
 161 ## to support fcron.
 162 ## </p>
 163 ## </desc>
 164 gen_tunable(fcron_crond,false)
 165
 166 ## <desc>
 167 ## <p>
 168 ## Allow ftp to read and write files in the user home directories
 169 ## </p>
 170 ## </desc>
 171 gen_tunable(ftp_home_dir,false)
 172
 173 ## <desc>
 174 ## <p>
 175 ## Allow ftpd to run directly without inetd
 176 ## </p>
 177 ## </desc>
 178 gen_tunable(ftpd_is_daemon,false)
 179
 180 ## <desc>
 181 ## <p>
 182 ## Enable reading of urandom for all domains.
 183 ## </p>
 184 ## <p>
 185 ## This should be enabled when all programs
 186 ## are compiled with ProPolice/SSP
 187 ## stack smashing protection.  All domains will
 188 ## be allowed to read from /dev/urandom.
 189 ## </p>
 190 ## </desc>
 191 gen_tunable(global_ssp,false)
 192
 193 ## <desc>
 194 ## <p>
 195 ## Allow httpd to use built in scripting (usually php)
 196 ## </p>
 197 ## </desc>
 198 gen_tunable(httpd_builtin_scripting,false)
 199
 200 ## <desc>
 201 ## <p>
 202 ## Allow http daemon to tcp connect
 203 ## </p>
 204 ## </desc>
 205 gen_tunable(httpd_can_network_connect,false)
 206
 207 ## <desc>
 208 ## <p>
 209 ## Allow httpd to connect to mysql/posgresql
 210 ## </p>
 211 ## </desc>
 212 gen_tunable(httpd_can_network_connect_db, false)
 213
 214 ## <desc>
 215 ## <p>
 216 ## Allow httpd to act as a relay
 217 ## </p>
 218 ## </desc>
 219 gen_tunable(httpd_can_network_relay, false)
 220
 221 ## <desc>
 222 ## <p>
 223 ## Allow httpd cgi support
 224 ## </p>
 225 ## </desc>
 226 gen_tunable(httpd_enable_cgi,false)
 227
 228 ## <desc>
 229 ## <p>
 230 ## Allow httpd to act as a FTP server by
 231 ## listening on the ftp port.
 232 ## </p>
 233 ## </desc>
 234 gen_tunable(httpd_enable_ftp_server,false)
 235
 236 ## <desc>
 237 ## <p>
 238 ## Allow httpd to read home directories
 239 ## </p>
 240 ## </desc>
 241 gen_tunable(httpd_enable_homedirs,false)
 242
 243 ## <desc>
 244 ## <p>
 245 ## Run SSI execs in system CGI script domain.
 246 ## </p>
 247 ## </desc>
 248 gen_tunable(httpd_ssi_exec,false)
 249
 250 ## <desc>
 251 ## <p>
 252 ## Allow http daemon to communicate with the TTY
 253 ## </p>
 254 ## </desc>
 255 gen_tunable(httpd_tty_comm,false)
 256
 257 ## <desc>
 258 ## <p>
 259 ## Run CGI in the main httpd domain
 260 ## </p>
 261 ## </desc>
 262 gen_tunable(httpd_unified,false)
 263
 264 ## <desc>
 265 ## <p>
 266 ## Allow BIND to write the master zone files.
 267 ## Generally this is used for dynamic DNS.
 268 ## </p>
 269 ## </desc>
 270 gen_tunable(named_write_master_zones,false)
 271
 272 ## <desc>
 273 ## <p>
 274 ## Allow nfs to be exported read/write.
 275 ## </p>
 276 ## </desc>
 277 gen_tunable(nfs_export_all_rw,false)
 278
 279 ## <desc>
 280 ## <p>
 281 ## Allow nfs to be exported read only
 282 ## </p>
 283 ## </desc>
 284 gen_tunable(nfs_export_all_ro,false)
 285
 286 ## <desc>
 287 ## <p>
 288 ## Allow pppd to load kernel modules for certain modems
 289 ## </p>
 290 ## </desc>
 291 gen_tunable(pppd_can_insmod,false)
 292
 293 ## <desc>
 294 ## <p>
 295 ## Allow reading of default_t files.
 296 ## </p>
 297 ## </desc>
 298 gen_tunable(read_default_t,false)
 299
 300 ## <desc>
 301 ## <p>
 302 ## Allow samba to export user home directories.
 303 ## </p>
 304 ## </desc>
 305 gen_tunable(samba_enable_home_dirs,false)
 306
 307 ## <desc>
 308 ## <p>
 309 ## Allow samba to export NFS volumes.
 310 ## </p>
 311 ## </desc>
 312 gen_tunable(samba_share_nfs,false)
 313
 314 ## <desc>
 315 ## <p>
 316 ## Allow squid to connect to all ports, not just
 317 ## HTTP, FTP, and Gopher ports.
 318 ## </p>
 319 ## </desc>
 320 gen_tunable(squid_connect_any,false)
 321
 322 ## <desc>
 323 ## <p>
 324 ## Configure stunnel to be a standalone daemon or
 325 ## inetd service.
 326 ## </p>
 327 ## </desc>
 328 gen_tunable(stunnel_is_daemon,false)
 329
 330 ## <desc>
 331 ## <p>
 332 ## Support NFS home directories
 333 ## </p>
 334 ## </desc>
 335 gen_tunable(use_nfs_home_dirs,false)
 336
 337 ## <desc>
 338 ## <p>
 339 ## Support SAMBA home directories
 340 ## </p>
 341 ## </desc>
 342 gen_tunable(use_samba_home_dirs,false)
 343
 344 ########################################
 345 #
 346 # Strict policy specific
 347 #
 348
 349 ifdef(`strict_policy',`
 350 ## <desc>
 351 ## <p>
 352 ## Control users use of ping and traceroute
 353 ## </p>
 354 ## </desc>
 355 gen_tunable(user_ping,false)
 356
 357 ## <desc>
 358 ## <p>
 359 ## Allow gpg executable stack
 360 ## </p>
 361 ## </desc>
 362 gen_tunable(allow_gpg_execstack,false)
 363
 364 ## <desc>
 365 ## <p>
 366 ## Allow mplayer executable stack
 367 ## </p>
 368 ## </desc>
 369 gen_tunable(allow_mplayer_execstack,false)
 370
 371 ## <desc>
 372 ## <p>
 373 ## Allow sysadm to ptrace all processes
 374 ## </p>
 375 ## </desc>
 376 gen_tunable(allow_ptrace,false)
 377
 378 ## <desc>
 379 ## <p>
 380 ## allow host key based authentication
 381 ## </p>
 382 ## </desc>
 383 gen_tunable(allow_ssh_keysign,false)
 384
 385 ## <desc>
 386 ## <p>
 387 ## Allow users to connect to mysql
 388 ## </p>
 389 ## </desc>
 390 gen_tunable(allow_user_mysql_connect,false)
 391
 392 ## <desc>
 393 ## <p>
 394 ## Allows clients to write to the X server shared
 395 ## memory segments.
 396 ## </p>
 397 ## </desc>
 398 gen_tunable(allow_write_xshm,false)
 399
 400 ## <desc>
 401 ## <p>
 402 ## Allow cdrecord to read various content.
 403 ## nfs, samba, removable devices, user temp
 404 ## and untrusted content files
 405 ## </p>
 406 ## </desc>
 407 gen_tunable(cdrecord_read_content,false)
 408
 409 ## <desc>
 410 ## <p>
 411 ## Allow system cron jobs to relabel filesystem
 412 ## for restoring file contexts.
 413 ## </p>
 414 ## </desc>
 415 gen_tunable(cron_can_relabel,false)
 416
 417 ## <desc>
 418 ## <p>
 419 ## force to games to run in user_t
 420 ## mapping executable (text relocation).
 421 ## </p>
 422 ## </desc>
 423 gen_tunable(disable_games_trans,false)
 424
 425 ## <desc>
 426 ## <p>
 427 ## Disable transitions to evolution domains.
 428 ## </p>
 429 ## </desc>
 430 gen_tunable(disable_evolution_trans,false)
 431
 432 ## <desc>
 433 ## <p>
 434 ## Disable transitions to user mozilla domains
 435 ## </p>
 436 ## </desc>
 437 gen_tunable(disable_mozilla_trans,false)
 438
 439 ## <desc>
 440 ## <p>
 441 ## Disable transitions to user thunderbird domains
 442 ## </p>
 443 ## </desc>
 444 gen_tunable(disable_thunderbird_trans,false)
 445
 446 ## <desc>
 447 ## <p>
 448 ## Allow email client to various content.
 449 ## nfs, samba, removable devices, user temp
 450 ## and untrusted content files
 451 ## </p>
 452 ## </desc>
 453 gen_tunable(mail_read_content,false)
 454
 455 ## <desc>
 456 ## <p>
 457 ## Control mozilla content access
 458 ## </p>
 459 ## </desc>
 460 gen_tunable(mozilla_read_content,false)
 461
 462 ## <desc>
 463 ## <p>
 464 ## Allow pppd to be run for a regular user
 465 ## </p>
 466 ## </desc>
 467 gen_tunable(pppd_for_user,false)
 468
 469 ## <desc>
 470 ## <p>
 471 ## Allow applications to read untrusted content
 472 ## If this is disallowed, Internet content has
 473 ## to be manually relabeled for read access to be granted
 474 ## </p>
 475 ## </desc>
 476 gen_tunable(read_untrusted_content,false)
 477
 478 ## <desc>
 479 ## <p>
 480 ## Allow ssh to run from inetd instead of as a daemon.
 481 ## </p>
 482 ## </desc>
 483 gen_tunable(run_ssh_inetd,false)
 484
 485 ## <desc>
 486 ## <p>
 487 ## Allow user spamassassin clients to use the network.
 488 ## </p>
 489 ## </desc>
 490 gen_tunable(spamassassin_can_network,false)
 491
 492 ## <desc>
 493 ## <p>
 494 ## Allow ssh logins as sysadm_r:sysadm_t
 495 ## </p>
 496 ## </desc>
 497 gen_tunable(ssh_sysadm_login,false)
 498
 499 ## <desc>
 500 ## <p>
 501 ## Allow staff_r users to search the sysadm home
 502 ## dir and read files (such as ~/.bashrc)
 503 ## </p>
 504 ## </desc>
 505 gen_tunable(staff_read_sysadm_file,false)
 506
 507 ## <desc>
 508 ## <p>
 509 ## Allow regular users direct mouse access
 510 ## </p>
 511 ## </desc>
 512 gen_tunable(user_direct_mouse,false)
 513
 514 ## <desc>
 515 ## <p>
 516 ## Allow users to read system messages.
 517 ## </p>
 518 ## </desc>
 519 gen_tunable(user_dmesg,false)
 520
 521 ## <desc>
 522 ## <p>
 523 ## Allow users to control network interfaces
 524 ## (also needs USERCTL=true)
 525 ## </p>
 526 ## </desc>
 527 gen_tunable(user_net_control,false)
 528
 529 ## <desc>
 530 ## <p>
 531 ## Allow user to r/w files on filesystems
 532 ## that do not have extended attributes (FAT, CDROM, FLOPPY)
 533 ## </p>
 534 ## </desc>
 535 gen_tunable(user_rw_noexattrfile,false)
 536
 537 ## <desc>
 538 ## <p>
 539 ## Allow users to run TCP servers (bind to ports and accept connection from
 540 ## the same domain and outside users)  disabling this forces FTP passive mode
 541 ## and may change other protocols.
 542 ## </p>
 543 ## </desc>
 544 gen_tunable(user_tcp_server,false)
 545
 546 ## <desc>
 547 ## <p>
 548 ## Allow w to display everyone
 549 ## </p>
 550 ## </desc>
 551 gen_tunable(user_ttyfile_stat,false)
 552
 553 ## <desc>
 554 ## <p>
 555 ## Allow applications to write untrusted content
 556 ## If this is disallowed, no Internet content
 557 ## will be stored.
 558 ## </p>
 559 ## </desc>
 560 gen_tunable(write_untrusted_content,false)
 561
 562 ## <desc>
 563 ## <p>
 564 ## Allow xdm logins as sysadm
 565 ## </p>
 566 ## </desc>
 567 gen_tunable(xdm_sysadm_login,false)
 568 ')
 569
 570 ########################################
 571 #
 572 # Targeted policy specific
 573 #
 574
 575 ifdef(`targeted_policy',`
 576 ## <desc>
 577 ## <p>
 578 ## Allow mount to mount any file
 579 ## </p>
 580 ## </desc>
 581 gen_tunable(allow_mount_anyfile,false)
 582
 583 ## <desc>
 584 ## <p>
 585 ## Allow spammd to read/write user home directories.
 586 ## </p>
 587 ## </desc>
 588 gen_tunable(spamd_enable_home_dirs,true)
 589 ')