trunk: Improve several tunables descriptions from Dan Walsh.

2007-12-07 15:44:53 +00:00 · 2007-12-07 15:44:53 +00:00 · dd9e1de35e
parent 09e21686ea
commit dd9e1de35e
11 changed files with 37 additions and 31 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- Improve several tunables descriptions from Dan Walsh.
 - Patch to clean up ns switch usage in the policy from Dan Walsh.
 - More complete labeled networking infrastructure from KaiGai Kohei.
 - Add interface for libselinux constructor, for libselinux-linked
--- a/policy/global_tunables
+++ b/policy/global_tunables
@ -6,31 +6,28 @@

 ## <desc>
 ## <p>
-## Allow making the heap executable.
+## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
 gen_tunable(allow_execheap,false)

 ## <desc>
 ## <p>
-## Allow making anonymous memory executable, e.g. 
-## for runtime-code generation or executable stack.
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
 ## </p>
 ## </desc>
 gen_tunable(allow_execmem,false)

 ## <desc>
 ## <p>
-## Allow making a modified private file
-## mapping executable (text relocation).
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
 ## </p>
 ## </desc>
 gen_tunable(allow_execmod,false)

 ## <desc>
 ## <p>
-## Allow making the stack executable via mprotect.
-## Also requires allow_execmem.
+## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
 ## </p>
 ## </desc>
 gen_tunable(allow_execstack,false)
@ -73,14 +70,14 @@ gen_tunable(mail_read_content,false)

 ## <desc>
 ## <p>
-## Allow nfs to be exported read/write.
+## Allow any files/directories to be exported read/write via NFS.
 ## </p>
 ## </desc>
 gen_tunable(nfs_export_all_rw,false)

 ## <desc>
 ## <p>
-## Allow nfs to be exported read only
+## Allow any files/directories to be exported read/only via NFS.
 ## </p>
 ## </desc>
 gen_tunable(nfs_export_all_ro,false)
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -23,7 +23,8 @@ policy_module(apache,1.8.4)
 ## <desc>
 ## <p>
 ## Allow Apache to modify public files
-## used for public file transfer services.
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
 ## </p>
 ## </desc>
 gen_tunable(allow_httpd_anon_write,false)
@ -44,14 +45,14 @@ gen_tunable(httpd_builtin_scripting,false)

 ## <desc>
 ## <p>
-## Allow http daemon to tcp connect
+## Allow HTTPD scripts and modules to connect to the network using TCP.
 ## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect,false)

 ## <desc>
 ## <p>
-## Allow httpd to connect to mysql/posgresql
+## Allow HTTPD scripts and modules to connect to databases over the network.
 ## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect_db, false)
@ -87,21 +88,23 @@ gen_tunable(httpd_enable_homedirs,false)

 ## <desc>
 ## <p>
-## Run SSI execs in system CGI script domain.
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
 ## </p>
 ## </desc>
 gen_tunable(httpd_ssi_exec,false)

 ## <desc>
 ## <p>
-## Allow http daemon to communicate with the TTY
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
 ## </p>
 ## </desc>
 gen_tunable(httpd_tty_comm,false)

 ## <desc>
 ## <p>
-## Run CGI in the main httpd domain
+## Unify HTTPD handling of all content files.
 ## </p>
 ## </desc>
 gen_tunable(httpd_unified,false)
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@ -9,7 +9,7 @@ policy_module(bind,1.5.2)
 ## <desc>
 ## <p>
 ## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS.
+## Generally this is used for dynamic DNS or zone transfers.
 ## </p>
 ## </desc>
 gen_tunable(named_write_master_zones,false)
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@ -8,8 +8,9 @@ policy_module(ftp,1.6.1)

 ## <desc>
 ## <p>
-## Allow ftp servers to modify public files
-## used for public file transfer services.
+## Allow ftp servers to upload files,  used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
 ## </p>
 ## </desc>
 gen_tunable(allow_ftpd_anon_write,false)
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@ -8,7 +8,7 @@ policy_module(kerberos,1.5.1)

 ## <desc>
 ## <p>
-## Allow system to run with kerberos
+## Allow confined applications to run with kerberos.
 ## </p>
 ## </desc>
 gen_tunable(allow_kerberos,false)
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@ -8,7 +8,7 @@ policy_module(rpc,1.6.2)

 ## <desc>
 ## <p>
-## Allow gssd to read temp directory.
+## Allow gssd to read temp directory.  For access to kerberos tgt.
 ## </p>
 ## </desc>
 gen_tunable(allow_gssd_read_tmp,true)
@ -16,7 +16,8 @@ gen_tunable(allow_gssd_read_tmp,true)
 ## <desc>
 ## <p>
 ## Allow nfs servers to modify public files
-## used for public file transfer services.
+## used for public file transfer services.  Files/Directories must be
+## labeled public_content_rw_t.
 ## </p>
 ## </desc>
 gen_tunable(allow_nfsd_anon_write,false)
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@ -8,7 +8,7 @@ policy_module(rsync,1.5.3)

 ## <desc>
 ## <p>
-## Allow rsync export files read only
+## Allow rsync to export any files/directories read only.
 ## </p>
 ## </desc>
 gen_tunable(rsync_export_all_ro,false)
@ -16,7 +16,8 @@ gen_tunable(rsync_export_all_ro,false)
 ## <desc>
 ## <p>
 ## Allow rsync to modify public files
-## used for public file transfer services.
+## used for public file transfer services.  Files/Directories must be
+## labeled public_content_rw_t.
 ## </p>
 ## </desc>
 gen_tunable(allow_rsync_anon_write,false)
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@ -8,15 +8,17 @@ policy_module(samba,1.6.4)

 ## <desc>
 ## <p>
-## Allow samba to modify public files
-## used for public file transfer services.
+## Allow samba to modify public files used for public file
+## transfer services.  Files/Directories must be labeled
+## public_content_rw_t.
 ## </p>
 ## </desc>
 gen_tunable(allow_smbd_anon_write,false)

 ## <desc>
 ## <p>
-## Allow samba to run as the domain controller; add machines to passwd file
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
 ## 
 ## </p>
 ## </desc>
@ -24,21 +26,21 @@ gen_tunable(samba_domain_controller,false)

 ## <desc>
 ## <p>
-## Allow samba to export user home directories.
+## Allow samba to share users home directories.
 ## </p>
 ## </desc>
 gen_tunable(samba_enable_home_dirs,false)

 ## <desc>
 ## <p>
-## Export all files on system read only.
+## Allow samba to share any file/directory read only.
 ## </p>
 ## </desc>
 gen_tunable(samba_export_all_ro,false)

 ## <desc>
 ## <p>
-## Export all files on system read-write.
+## Allow samba to share any file/directory read/write.
 ## </p>
 ## </desc>
 gen_tunable(samba_export_all_rw,false)
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@ -8,7 +8,7 @@ policy_module(mount,1.8.2)

 ## <desc>
 ## <p>
-## Allow mount to mount any file
+## Allow the mount command to mount any directory or file.
 ## </p>
 ## </desc>
 gen_tunable(allow_mount_anyfile,false)
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -17,7 +17,7 @@ gen_require(`

 ## <desc>
 ## <p>
-## Allow sysadm to ptrace all processes
+## Allow sysadm to debug or ptrace all processes.
 ## </p>
 ## </desc>
 gen_tunable(allow_ptrace,false)