policy/global_tunables

   1 #
   2 # This file is for the declaration of global tunables.
   3 # To change the default value at build time, the booleans.conf
   4 # file should be used.
   5 #
   6
   7 ## <desc>
   8 ## <p>
   9 ## Allow sysadm to debug or ptrace all processes.
  10 ## </p>
  11 ## </desc>
  12 gen_tunable(deny_ptrace, false)
  13
  14 ## <desc>
  15 ## <p>
  16 ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
  17 ## </p>
  18 ## </desc>
  19 gen_tunable(allow_execheap,false)
  20
  21 ## <desc>
  22 ## <p>
  23 ## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
  24 ## </p>
  25 ## </desc>
  26 gen_tunable(allow_execmem,false)
  27
  28 ## <desc>
  29 ## <p>
  30 ## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
  31 ## </p>
  32 ## </desc>
  33 gen_tunable(allow_execmod,false)
  34
  35 ## <desc>
  36 ## <p>
  37 ## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
  38 ## </p>
  39 ## </desc>
  40 gen_tunable(allow_execstack,false)
  41
  42 ## <desc>
  43 ## <p>
  44 ## Enable polyinstantiated directory support.
  45 ## </p>
  46 ## </desc>
  47 gen_tunable(allow_polyinstantiation,false)
  48
  49 ## <desc>
  50 ## <p>
  51 ## Allow system to run with NIS
  52 ## </p>
  53 ## </desc>
  54 gen_tunable(allow_ypbind,false)
  55
  56 ## <desc>
  57 ## <p>
  58 ## Allow logging in and using the system from /dev/console.
  59 ## </p>
  60 ## </desc>
  61 gen_tunable(console_login,true)
  62
  63 ## <desc>
  64 ## <p>
  65 ## Enable reading of urandom for all domains.
  66 ## </p>
  67 ## <p>
  68 ## This should be enabled when all programs
  69 ## are compiled with ProPolice/SSP
  70 ## stack smashing protection.  All domains will
  71 ## be allowed to read from /dev/urandom.
  72 ## </p>
  73 ## </desc>
  74 gen_tunable(global_ssp,false)
  75
  76 ## <desc>
  77 ## <p>
  78 ## Allow any files/directories to be exported read/write via NFS.
  79 ## </p>
  80 ## </desc>
  81 gen_tunable(nfs_export_all_rw,false)
  82
  83 ## <desc>
  84 ## <p>
  85 ## Allow any files/directories to be exported read/only via NFS.
  86 ## </p>
  87 ## </desc>
  88 gen_tunable(nfs_export_all_ro,false)
  89
  90 ## <desc>
  91 ## <p>
  92 ## Support NFS home directories
  93 ## </p>
  94 ## </desc>
  95 gen_tunable(use_nfs_home_dirs,false)
  96
  97 ## <desc>
  98 ## <p>
  99 ## Support SAMBA home directories
 100 ## </p>
 101 ## </desc>
 102 gen_tunable(use_samba_home_dirs,false)
 103
 104 ## <desc>
 105 ## <p>
 106 ## Support fusefs home directories
 107 ## </p>
 108 ## </desc>
 109 gen_tunable(use_fusefs_home_dirs,false)
 110
 111 ## <desc>
 112 ## <p>
 113 ## Allow users to run TCP servers (bind to ports and accept connection from
 114 ## the same domain and outside users)  disabling this forces FTP passive mode
 115 ## and may change other protocols.
 116 ## </p>
 117 ## </desc>
 118 gen_tunable(user_tcp_server,false)
 119
 120 ## <desc>
 121 ## <p>
 122 ## Allow direct login to the console device. Required for System 390
 123 ## </p>
 124 ## </desc>
 125 gen_tunable(allow_console_login,false)
 126