diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index f2ad12847..0d61a0ff1 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -20,9 +20,6 @@ gen_tunable(allow_execstack,false) ## used for public file transfer services. gen_tunable(allow_ftpd_anon_write,false) -## Allow gpg executable stack -gen_tunable(allow_gpg_execstack,false) - ## Allow gssd to read temp directory. gen_tunable(allow_gssd_read_tmp,true) @@ -44,22 +41,12 @@ gen_tunable(allow_saslauthd_read_shadow,false) ## used for public file transfer services. gen_tunable(allow_smbd_anon_write,false) -## allow host key based authentication -gen_tunable(allow_ssh_keysign,false) - ## Allow sysadm to ptrace all processes gen_tunable(allow_ptrace,false) -## Allow users to connect to mysql -gen_tunable(allow_user_mysql_connect,false) - ## Allow system to run with NIS gen_tunable(allow_ypbind,false) -## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -gen_tunable(cron_can_relabel,false) - ## Enable extra rules in the cron domain ## to support fcron. gen_tunable(fcron_crond,false) @@ -104,26 +91,15 @@ gen_tunable(nfs_export_all_ro,false) ## Allow pppd to load kernel modules for certain modems gen_tunable(pppd_can_insmod,false) -## Allow pppd to be run for a regular user -gen_tunable(pppd_for_user,false) - ## Allow reading of default_t files. gen_tunable(read_default_t,false) -## Allow applications to read untrusted content -## If this is disallowed, Internet content has -## to be manually relabeled for read access to be granted -gen_tunable(read_untrusted_content,false) - ## Allow ssh to run from inetd instead of as a daemon. gen_tunable(run_ssh_inetd,false) ## Allow samba to export user home directories. gen_tunable(samba_enable_home_dirs,false) -## Allow user spamassassin clients to use the network. -gen_tunable(spamassassin_can_network,false) - ## Allow squid to connect to all ports, not just ## HTTP, FTP, and Gopher ports. gen_tunable(squid_connect_any,false) @@ -145,6 +121,39 @@ gen_tunable(use_nfs_home_dirs,false) ## Support SAMBA home directories gen_tunable(use_samba_home_dirs,false) +## Control users use of ping and traceroute +gen_tunable(user_ping,false) + +######################################## +# +# Strict policy specific +# + +ifdef(`targeted_policy',`',` +## Allow gpg executable stack +gen_tunable(allow_gpg_execstack,false) + +## allow host key based authentication +gen_tunable(allow_ssh_keysign,false) + +## Allow users to connect to mysql +gen_tunable(allow_user_mysql_connect,false) + +## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +gen_tunable(cron_can_relabel,false) + +## Allow pppd to be run for a regular user +gen_tunable(pppd_for_user,false) + +## Allow applications to read untrusted content +## If this is disallowed, Internet content has +## to be manually relabeled for read access to be granted +gen_tunable(read_untrusted_content,false) + +## Allow user spamassassin clients to use the network. +gen_tunable(spamassassin_can_network,false) + ## Allow regular users direct mouse access gen_tunable(user_direct_mouse,false) @@ -155,9 +164,6 @@ gen_tunable(user_dmesg,false) ## (also needs USERCTL=true) gen_tunable(user_net_control,false) -## Control users use of ping and traceroute -gen_tunable(user_ping,false) - ## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) gen_tunable(user_rw_noexattrfile,false) @@ -176,3 +182,4 @@ gen_tunable(user_ttyfile_stat,false) ## If this is disallowed, no Internet content ## will be stored. gen_tunable(write_untrusted_content,false) +')