2 # This file is for the declaration of global tunables.
3 # To change the default value at build time, the booleans.conf
7 ########################################
14 ## Allow cvs daemon to read shadow
18 gen_tunable(allow_cvs_read_shadow,false)
22 ## Allow zebra daemon to write it configuration files
26 gen_tunable(allow_zebra_write_config,false)
30 ## Allow making the heap executable.
33 gen_tunable(allow_execheap,false)
37 ## Allow making anonymous memory executable, e.g.
38 ## for runtime-code generation or executable stack.
41 gen_tunable(allow_execmem,false)
45 ## Allow making a modified private file
46 ## mapping executable (text relocation).
49 gen_tunable(allow_execmod,false)
53 ## Allow making the stack executable via mprotect.
54 ## Also requires allow_execmem.
57 gen_tunable(allow_execstack,false)
61 ## Allow ftp servers to modify public files
62 ## used for public file transfer services.
65 gen_tunable(allow_ftpd_anon_write,false)
69 ## Allow ftp servers to use cifs
70 ## used for public file transfer services.
73 gen_tunable(allow_ftpd_use_cifs,false)
77 ## Allow ftp servers to use nfs
78 ## used for public file transfer services.
81 gen_tunable(allow_ftpd_use_nfs,false)
85 ## Allow gssd to read temp directory.
88 gen_tunable(allow_gssd_read_tmp,true)
92 ## Allow Apache to modify public files
93 ## used for public file transfer services.
96 gen_tunable(allow_httpd_anon_write,false)
100 ## Allow Apache to use mod_auth_pam
103 gen_tunable(allow_httpd_mod_auth_pam,false)
107 ## Allow java executable stack
110 gen_tunable(allow_java_execstack,false)
114 ## Allow system to run with kerberos
117 gen_tunable(allow_kerberos,false)
121 ## Allow nfs servers to modify public files
122 ## used for public file transfer services.
125 gen_tunable(allow_nfsd_anon_write,false)
129 ## Allow rsync to modify public files
130 ## used for public file transfer services.
133 gen_tunable(allow_rsync_anon_write,false)
137 ## Allow sasl to read shadow
140 gen_tunable(allow_saslauthd_read_shadow,false)
144 ## Allow samba to modify public files
145 ## used for public file transfer services.
148 gen_tunable(allow_smbd_anon_write,false)
153 ## Allow system to run with NIS
156 gen_tunable(allow_ypbind,false)
160 ## Enable extra rules in the cron domain
164 gen_tunable(fcron_crond,false)
168 ## Allow ftp to read and write files in the user home directories
171 gen_tunable(ftp_home_dir,false)
175 ## Allow ftpd to run directly without inetd
178 gen_tunable(ftpd_is_daemon,false)
182 ## Enable reading of urandom for all domains.
185 ## This should be enabled when all programs
186 ## are compiled with ProPolice/SSP
187 ## stack smashing protection. All domains will
188 ## be allowed to read from /dev/urandom.
191 gen_tunable(global_ssp,false)
195 ## Allow httpd to use built in scripting (usually php)
198 gen_tunable(httpd_builtin_scripting,false)
202 ## Allow http daemon to tcp connect
205 gen_tunable(httpd_can_network_connect,false)
209 ## Allow httpd to connect to mysql/posgresql
212 gen_tunable(httpd_can_network_connect_db, false)
216 ## Allow httpd to act as a relay
219 gen_tunable(httpd_can_network_relay, false)
223 ## Allow httpd cgi support
226 gen_tunable(httpd_enable_cgi,false)
230 ## Allow httpd to act as a FTP server by
231 ## listening on the ftp port.
234 gen_tunable(httpd_enable_ftp_server,false)
238 ## Allow httpd to read home directories
241 gen_tunable(httpd_enable_homedirs,false)
245 ## Run SSI execs in system CGI script domain.
248 gen_tunable(httpd_ssi_exec,false)
252 ## Allow http daemon to communicate with the TTY
255 gen_tunable(httpd_tty_comm,false)
259 ## Run CGI in the main httpd domain
262 gen_tunable(httpd_unified,false)
266 ## Allow BIND to write the master zone files.
267 ## Generally this is used for dynamic DNS.
270 gen_tunable(named_write_master_zones,false)
274 ## Allow nfs to be exported read/write.
277 gen_tunable(nfs_export_all_rw,false)
281 ## Allow nfs to be exported read only
284 gen_tunable(nfs_export_all_ro,false)
288 ## Allow pppd to load kernel modules for certain modems
291 gen_tunable(pppd_can_insmod,false)
295 ## Allow reading of default_t files.
298 gen_tunable(read_default_t,false)
302 ## Allow samba to export user home directories.
305 gen_tunable(samba_enable_home_dirs,false)
309 ## Allow samba to export NFS volumes.
312 gen_tunable(samba_share_nfs,false)
316 ## Allow squid to connect to all ports, not just
317 ## HTTP, FTP, and Gopher ports.
320 gen_tunable(squid_connect_any,false)
324 ## Configure stunnel to be a standalone daemon or
328 gen_tunable(stunnel_is_daemon,false)
332 ## Support NFS home directories
335 gen_tunable(use_nfs_home_dirs,false)
339 ## Support SAMBA home directories
342 gen_tunable(use_samba_home_dirs,false)
344 ########################################
346 # Strict policy specific
349 ifdef(`strict_policy',`
352 ## Control users use of ping and traceroute
355 gen_tunable(user_ping,false)
359 ## Allow gpg executable stack
362 gen_tunable(allow_gpg_execstack,false)
366 ## Allow mplayer executable stack
369 gen_tunable(allow_mplayer_execstack,false)
373 ## Allow sysadm to ptrace all processes
376 gen_tunable(allow_ptrace,false)
380 ## allow host key based authentication
383 gen_tunable(allow_ssh_keysign,false)
387 ## Allow users to connect to mysql
390 gen_tunable(allow_user_mysql_connect,false)
394 ## Allows clients to write to the X server shared
398 gen_tunable(allow_write_xshm,false)
402 ## Allow cdrecord to read various content.
403 ## nfs, samba, removable devices, user temp
404 ## and untrusted content files
407 gen_tunable(cdrecord_read_content,false)
411 ## Allow system cron jobs to relabel filesystem
412 ## for restoring file contexts.
415 gen_tunable(cron_can_relabel,false)
419 ## force to games to run in user_t
420 ## mapping executable (text relocation).
423 gen_tunable(disable_games_trans,false)
427 ## Disable transitions to evolution domains.
430 gen_tunable(disable_evolution_trans,false)
434 ## Disable transitions to user mozilla domains
437 gen_tunable(disable_mozilla_trans,false)
441 ## Disable transitions to user thunderbird domains
444 gen_tunable(disable_thunderbird_trans,false)
448 ## Allow email client to various content.
449 ## nfs, samba, removable devices, user temp
450 ## and untrusted content files
453 gen_tunable(mail_read_content,false)
457 ## Control mozilla content access
460 gen_tunable(mozilla_read_content,false)
464 ## Allow pppd to be run for a regular user
467 gen_tunable(pppd_for_user,false)
471 ## Allow applications to read untrusted content
472 ## If this is disallowed, Internet content has
473 ## to be manually relabeled for read access to be granted
476 gen_tunable(read_untrusted_content,false)
480 ## Allow ssh to run from inetd instead of as a daemon.
483 gen_tunable(run_ssh_inetd,false)
487 ## Allow user spamassassin clients to use the network.
490 gen_tunable(spamassassin_can_network,false)
494 ## Allow ssh logins as sysadm_r:sysadm_t
497 gen_tunable(ssh_sysadm_login,false)
501 ## Allow staff_r users to search the sysadm home
502 ## dir and read files (such as ~/.bashrc)
505 gen_tunable(staff_read_sysadm_file,false)
509 ## Allow regular users direct mouse access
512 gen_tunable(user_direct_mouse,false)
516 ## Allow users to read system messages.
519 gen_tunable(user_dmesg,false)
523 ## Allow users to control network interfaces
524 ## (also needs USERCTL=true)
527 gen_tunable(user_net_control,false)
531 ## Allow user to r/w files on filesystems
532 ## that do not have extended attributes (FAT, CDROM, FLOPPY)
535 gen_tunable(user_rw_noexattrfile,false)
539 ## Allow users to run TCP servers (bind to ports and accept connection from
540 ## the same domain and outside users) disabling this forces FTP passive mode
541 ## and may change other protocols.
544 gen_tunable(user_tcp_server,false)
548 ## Allow w to display everyone
551 gen_tunable(user_ttyfile_stat,false)
555 ## Allow applications to write untrusted content
556 ## If this is disallowed, no Internet content
560 gen_tunable(write_untrusted_content,false)
564 ## Allow xdm logins as sysadm
567 gen_tunable(xdm_sysadm_login,false)
570 ########################################
572 # Targeted policy specific
575 ifdef(`targeted_policy',`
578 ## Allow mount to mount any file
581 gen_tunable(allow_mount_anyfile,false)
585 ## Allow spammd to read/write user home directories.
588 gen_tunable(spamd_enable_home_dirs,true)