selinux-policy/policy/global_tunables

132 lines
3.1 KiB
Plaintext

#
# This file is for the declaration of global tunables.
# To change the default value at build time, the booleans.conf
# file should be used.
#
## <desc>
## <p>
## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execheap,false)
## <desc>
## <p>
## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
## </p>
## </desc>
gen_tunable(allow_execmem,false)
## <desc>
## <p>
## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
## </p>
## </desc>
gen_tunable(allow_execmod,false)
## <desc>
## <p>
## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
## </p>
## </desc>
gen_tunable(allow_execstack,false)
## <desc>
## <p>
## Enable polyinstantiated directory support.
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)
## <desc>
## <p>
## Allow system to run with NIS
## </p>
## </desc>
gen_tunable(allow_ypbind,false)
## <desc>
## <p>
## Enable reading of urandom for all domains.
## </p>
## <p>
## This should be enabled when all programs
## are compiled with ProPolice/SSP
## stack smashing protection. All domains will
## be allowed to read from /dev/urandom.
## </p>
## </desc>
gen_tunable(global_ssp,false)
## <desc>
## <p>
## Allow email client to various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
## </p>
## </desc>
gen_tunable(mail_read_content,false)
## <desc>
## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_rw,false)
## <desc>
## <p>
## Allow any files/directories to be exported read/only via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_ro,false)
## <desc>
## <p>
## Allow reading of default_t files.
## </p>
## </desc>
gen_tunable(read_default_t,false)
## <desc>
## <p>
## Allow applications to read untrusted content
## If this is disallowed, Internet content has
## to be manually relabeled for read access to be granted
## </p>
## </desc>
gen_tunable(read_untrusted_content,false)
## <desc>
## <p>
## Support NFS home directories
## </p>
## </desc>
gen_tunable(use_nfs_home_dirs,false)
## <desc>
## <p>
## Support SAMBA home directories
## </p>
## </desc>
gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users) disabling this forces FTP passive mode
## and may change other protocols.
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
## <desc>
## <p>
## Allow applications to write untrusted content
## If this is disallowed, no Internet content
## will be stored.
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)