trunk: Improve several tunables descriptions from Dan Walsh.
This commit is contained in:
parent
09e21686ea
commit
dd9e1de35e
|
@ -1,3 +1,4 @@
|
||||||
|
- Improve several tunables descriptions from Dan Walsh.
|
||||||
- Patch to clean up ns switch usage in the policy from Dan Walsh.
|
- Patch to clean up ns switch usage in the policy from Dan Walsh.
|
||||||
- More complete labeled networking infrastructure from KaiGai Kohei.
|
- More complete labeled networking infrastructure from KaiGai Kohei.
|
||||||
- Add interface for libselinux constructor, for libselinux-linked
|
- Add interface for libselinux constructor, for libselinux-linked
|
||||||
|
|
|
@ -6,31 +6,28 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow making the heap executable.
|
## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_execheap,false)
|
gen_tunable(allow_execheap,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow making anonymous memory executable, e.g.
|
## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
|
||||||
## for runtime-code generation or executable stack.
|
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_execmem,false)
|
gen_tunable(allow_execmem,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow making a modified private file
|
## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
|
||||||
## mapping executable (text relocation).
|
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_execmod,false)
|
gen_tunable(allow_execmod,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow making the stack executable via mprotect.
|
## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
|
||||||
## Also requires allow_execmem.
|
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_execstack,false)
|
gen_tunable(allow_execstack,false)
|
||||||
|
@ -73,14 +70,14 @@ gen_tunable(mail_read_content,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow nfs to be exported read/write.
|
## Allow any files/directories to be exported read/write via NFS.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(nfs_export_all_rw,false)
|
gen_tunable(nfs_export_all_rw,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow nfs to be exported read only
|
## Allow any files/directories to be exported read/only via NFS.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(nfs_export_all_ro,false)
|
gen_tunable(nfs_export_all_ro,false)
|
||||||
|
|
|
@ -23,7 +23,8 @@ policy_module(apache,1.8.4)
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow Apache to modify public files
|
## Allow Apache to modify public files
|
||||||
## used for public file transfer services.
|
## used for public file transfer services. Directories/Files must
|
||||||
|
## be labeled public_content_rw_t.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_httpd_anon_write,false)
|
gen_tunable(allow_httpd_anon_write,false)
|
||||||
|
@ -44,14 +45,14 @@ gen_tunable(httpd_builtin_scripting,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow http daemon to tcp connect
|
## Allow HTTPD scripts and modules to connect to the network using TCP.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_can_network_connect,false)
|
gen_tunable(httpd_can_network_connect,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow httpd to connect to mysql/posgresql
|
## Allow HTTPD scripts and modules to connect to databases over the network.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_can_network_connect_db, false)
|
gen_tunable(httpd_can_network_connect_db, false)
|
||||||
|
@ -87,21 +88,23 @@ gen_tunable(httpd_enable_homedirs,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Run SSI execs in system CGI script domain.
|
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_ssi_exec,false)
|
gen_tunable(httpd_ssi_exec,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow http daemon to communicate with the TTY
|
## Unify HTTPD to communicate with the terminal.
|
||||||
|
## Needed for entering the passphrase for certificates at
|
||||||
|
## the terminal.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_tty_comm,false)
|
gen_tunable(httpd_tty_comm,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Run CGI in the main httpd domain
|
## Unify HTTPD handling of all content files.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_unified,false)
|
gen_tunable(httpd_unified,false)
|
||||||
|
|
|
@ -9,7 +9,7 @@ policy_module(bind,1.5.2)
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow BIND to write the master zone files.
|
## Allow BIND to write the master zone files.
|
||||||
## Generally this is used for dynamic DNS.
|
## Generally this is used for dynamic DNS or zone transfers.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(named_write_master_zones,false)
|
gen_tunable(named_write_master_zones,false)
|
||||||
|
|
|
@ -8,8 +8,9 @@ policy_module(ftp,1.6.1)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow ftp servers to modify public files
|
## Allow ftp servers to upload files, used for public file
|
||||||
## used for public file transfer services.
|
## transfer services. Directories must be labeled
|
||||||
|
## public_content_rw_t.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_ftpd_anon_write,false)
|
gen_tunable(allow_ftpd_anon_write,false)
|
||||||
|
|
|
@ -8,7 +8,7 @@ policy_module(kerberos,1.5.1)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow system to run with kerberos
|
## Allow confined applications to run with kerberos.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_kerberos,false)
|
gen_tunable(allow_kerberos,false)
|
||||||
|
|
|
@ -8,7 +8,7 @@ policy_module(rpc,1.6.2)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow gssd to read temp directory.
|
## Allow gssd to read temp directory. For access to kerberos tgt.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_gssd_read_tmp,true)
|
gen_tunable(allow_gssd_read_tmp,true)
|
||||||
|
@ -16,7 +16,8 @@ gen_tunable(allow_gssd_read_tmp,true)
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow nfs servers to modify public files
|
## Allow nfs servers to modify public files
|
||||||
## used for public file transfer services.
|
## used for public file transfer services. Files/Directories must be
|
||||||
|
## labeled public_content_rw_t.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_nfsd_anon_write,false)
|
gen_tunable(allow_nfsd_anon_write,false)
|
||||||
|
|
|
@ -8,7 +8,7 @@ policy_module(rsync,1.5.3)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow rsync export files read only
|
## Allow rsync to export any files/directories read only.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(rsync_export_all_ro,false)
|
gen_tunable(rsync_export_all_ro,false)
|
||||||
|
@ -16,7 +16,8 @@ gen_tunable(rsync_export_all_ro,false)
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow rsync to modify public files
|
## Allow rsync to modify public files
|
||||||
## used for public file transfer services.
|
## used for public file transfer services. Files/Directories must be
|
||||||
|
## labeled public_content_rw_t.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_rsync_anon_write,false)
|
gen_tunable(allow_rsync_anon_write,false)
|
||||||
|
|
|
@ -8,15 +8,17 @@ policy_module(samba,1.6.4)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow samba to modify public files
|
## Allow samba to modify public files used for public file
|
||||||
## used for public file transfer services.
|
## transfer services. Files/Directories must be labeled
|
||||||
|
## public_content_rw_t.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_smbd_anon_write,false)
|
gen_tunable(allow_smbd_anon_write,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow samba to run as the domain controller; add machines to passwd file
|
## Allow samba to act as the domain controller, add users,
|
||||||
|
## groups and change passwords.
|
||||||
##
|
##
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
|
@ -24,21 +26,21 @@ gen_tunable(samba_domain_controller,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow samba to export user home directories.
|
## Allow samba to share users home directories.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(samba_enable_home_dirs,false)
|
gen_tunable(samba_enable_home_dirs,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Export all files on system read only.
|
## Allow samba to share any file/directory read only.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(samba_export_all_ro,false)
|
gen_tunable(samba_export_all_ro,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Export all files on system read-write.
|
## Allow samba to share any file/directory read/write.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(samba_export_all_rw,false)
|
gen_tunable(samba_export_all_rw,false)
|
||||||
|
|
|
@ -8,7 +8,7 @@ policy_module(mount,1.8.2)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow mount to mount any file
|
## Allow the mount command to mount any directory or file.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_mount_anyfile,false)
|
gen_tunable(allow_mount_anyfile,false)
|
||||||
|
|
|
@ -17,7 +17,7 @@ gen_require(`
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow sysadm to ptrace all processes
|
## Allow sysadm to debug or ptrace all processes.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_ptrace,false)
|
gen_tunable(allow_ptrace,false)
|
||||||
|
|
Loading…
Reference in New Issue