policy/global_tunables

   1 #
   2 # This file is for the declaration of global tunables.
   3 # To change the default value at build time, the booleans.conf
   4 # file should be used.
   5 #
   6
   7 ## <desc>
   8 ## <p>
   9 ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
  10 ## </p>
  11 ## </desc>
  12 gen_tunable(allow_execheap,false)
  13
  14 ## <desc>
  15 ## <p>
  16 ## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
  17 ## </p>
  18 ## </desc>
  19 gen_tunable(allow_execmem,false)
  20
  21 ## <desc>
  22 ## <p>
  23 ## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
  24 ## </p>
  25 ## </desc>
  26 gen_tunable(allow_execmod,false)
  27
  28 ## <desc>
  29 ## <p>
  30 ## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
  31 ## </p>
  32 ## </desc>
  33 gen_tunable(allow_execstack,false)
  34
  35 ## <desc>
  36 ## <p>
  37 ## Enable polyinstantiated directory support.
  38 ## </p>
  39 ## </desc>
  40 gen_tunable(allow_polyinstantiation,false)
  41
  42 ## <desc>
  43 ## <p>
  44 ## Allow system to run with NIS
  45 ## </p>
  46 ## </desc>
  47 gen_tunable(allow_ypbind,false)
  48
  49 ## <desc>
  50 ## <p>
  51 ## Enable reading of urandom for all domains.
  52 ## </p>
  53 ## <p>
  54 ## This should be enabled when all programs
  55 ## are compiled with ProPolice/SSP
  56 ## stack smashing protection.  All domains will
  57 ## be allowed to read from /dev/urandom.
  58 ## </p>
  59 ## </desc>
  60 gen_tunable(global_ssp,false)
  61
  62 ## <desc>
  63 ## <p>
  64 ## Allow email client to various content.
  65 ## nfs, samba, removable devices, and user temp
  66 ## files
  67 ## </p>
  68 ## </desc>
  69 gen_tunable(mail_read_content,false)
  70
  71 ## <desc>
  72 ## <p>
  73 ## Allow any files/directories to be exported read/write via NFS.
  74 ## </p>
  75 ## </desc>
  76 gen_tunable(nfs_export_all_rw,false)
  77
  78 ## <desc>
  79 ## <p>
  80 ## Allow any files/directories to be exported read/only via NFS.
  81 ## </p>
  82 ## </desc>
  83 gen_tunable(nfs_export_all_ro,false)
  84
  85 ## <desc>
  86 ## <p>
  87 ## Support NFS home directories
  88 ## </p>
  89 ## </desc>
  90 gen_tunable(use_nfs_home_dirs,false)
  91
  92 ## <desc>
  93 ## <p>
  94 ## Support SAMBA home directories
  95 ## </p>
  96 ## </desc>
  97 gen_tunable(use_samba_home_dirs,false)
  98
  99 ## <desc>
 100 ## <p>
 101 ## Allow users to run TCP servers (bind to ports and accept connection from
 102 ## the same domain and outside users)  disabling this forces FTP passive mode
 103 ## and may change other protocols.
 104 ## </p>
 105 ## </desc>
 106 gen_tunable(user_tcp_server,false)