diff options
Diffstat (limited to 'policy/booleans.conf')
| -rw-r--r-- | policy/booleans.conf | 793 |
1 files changed, 793 insertions, 0 deletions
diff --git a/policy/booleans.conf b/policy/booleans.conf new file mode 100644 index 00000000..5dd0bf5a --- /dev/null +++ b/policy/booleans.conf @@ -0,0 +1,793 @@ +# +# Disable kernel module loading. +# +secure_mode_insmod = false + +# +# Boolean to determine whether the system permits loading policy, setting +# enforcing mode, and changing boolean values. Set this to true and you +# have to reboot to set it back. +# +secure_mode_policyload = false + +# +# Enabling secure mode disallows programs, such as +# newrole, from transitioning to administrative +# user domains. +# +secure_mode = false + +# +# Control users use of ping and traceroute +# +user_ping = false + +# +# Allow Apache to modify public files +# used for public file transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +allow_httpd_anon_write = false + +# +# Allow Apache to use mod_auth_pam +# +allow_httpd_mod_auth_pam = false + +# +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = false + +# +# Allow HTTPD scripts and modules to connect to the network using TCP. +# +httpd_can_network_connect = false + +# +# Allow HTTPD scripts and modules to connect to databases over the network. +# +httpd_can_network_connect_db = false + +# +# Allow httpd to act as a relay +# +httpd_can_network_relay = false + +# +# Allow http daemon to send mail +# +httpd_can_sendmail = false + +# +# Allow Apache to communicate with avahi service via dbus +# +httpd_dbus_avahi = false + +# +# Allow httpd cgi support +# +httpd_enable_cgi = false + +# +# Allow httpd to act as a FTP server by +# listening on the ftp port. +# +httpd_enable_ftp_server = false + +# +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# +# Allow HTTPD to run SSI executables in the same domain as system CGI scripts. +# +httpd_ssi_exec = false + +# +# Unify HTTPD to communicate with the terminal. +# Needed for entering the passphrase for certificates at +# the terminal. +# +httpd_tty_comm = false + +# +# Unify HTTPD handling of all content files. +# +httpd_unified = false + +# +# Allow httpd to access cifs file systems +# +httpd_use_cifs = false + +# +# Allow httpd to run gpg +# +httpd_use_gpg = false + +# +# Allow httpd to access nfs file systems +# +httpd_use_nfs = false + +# +# Allow BIND to write the master zone files. +# Generally this is used for dynamic DNS or zone transfers. +# +named_write_master_zones = false + +# +# Allow cdrecord to read various content. +# nfs, samba, removable devices, user temp +# and untrusted content files +# +cdrecord_read_content = false + +# +# Allow clamd to use JIT compiler +# +clamd_use_jit = false + +# +# Allow Cobbler to modify public files +# used for public file transfer services. +# +cobbler_anon_write = false + +# +# Allow system cron jobs to relabel filesystem +# for restoring file contexts. +# +cron_can_relabel = false + +# +# Enable extra rules in the cron domain +# to support fcron. +# +fcron_crond = false + +# +# Allow cvs daemon to read shadow +# +allow_cvs_read_shadow = false + +# +# Allow dbadm to manage files in users home directories +# +dbadm_manage_user_files = false + +# +# Allow dbadm to read files in users home directories +# +dbadm_read_user_files = false + +# +# Allow the use of the audio devices as the source for the entropy feeds +# +entropyd_use_audio = false + +# +# Allow exim to connect to databases (postgres, mysql) +# +exim_can_connect_db = false + +# +# Allow exim to read unprivileged user files. +# +exim_read_user_files = false + +# +# Allow exim to create, read, write, and delete +# unprivileged user files. +# +exim_manage_user_files = false + +# +# Allow ftp servers to upload files, used for public file +# transfer services. Directories must be labeled +# public_content_rw_t. +# +allow_ftpd_anon_write = false + +# +# Allow ftp servers to login to local users and +# read/write all files on the system, governed by DAC. +# +allow_ftpd_full_access = false + +# +# Allow ftp servers to use cifs +# used for public file transfer services. +# +allow_ftpd_use_cifs = false + +# +# Allow ftp servers to use nfs +# used for public file transfer services. +# +allow_ftpd_use_nfs = false + +# +# Allow ftp to read and write files in the user home directories +# +ftp_home_dir = false + +# +# Allow anon internal-sftp to upload files, used for +# public file transfer services. Directories must be labeled +# public_content_rw_t. +# +sftpd_anon_write = false + +# +# Allow sftp-internal to read and write files +# in the user home directories +# +sftpd_enable_homedirs = false + +# +# Allow sftp-internal to login to local users and +# read/write all files on the system, governed by DAC. +# +sftpd_full_access = false + +# +# Determine whether Git CGI +# can search home directories. +# +git_cgi_enable_homedirs = false + +# +# Determine whether Git CGI +# can access cifs file systems. +# +git_cgi_use_cifs = false + +# +# Determine whether Git CGI +# can access nfs file systems. +# +git_cgi_use_nfs = false + +# +# Determine whether calling user domains +# can execute Git daemon in the +# git_session_t domain. +# +git_session_users = false + +# +# Determine whether Git session daemons +# can send syslog messages. +# +git_session_send_syslog_msg = false + +# +# Determine whether Git system daemon +# can search home directories. +# +git_system_enable_homedirs = false + +# +# Determine whether Git system daemon +# can access cifs file systems. +# +git_system_use_cifs = false + +# +# Determine whether Git system daemon +# can access nfs file systems. +# +git_system_use_nfs = false + +# +# Allow usage of the gpg-agent --write-env-file option. +# This also allows gpg-agent to manage user files. +# +gpg_agent_env_file = false + +# +# Allow java executable stack +# +allow_java_execstack = false + +# +# Allow confined applications to run with kerberos. +# +allow_kerberos = false + +# +# Use lpd server instead of cups +# +use_lpd_server = false + +# +# Allow confined web browsers to read home directory content +# +mozilla_read_content = false + +# +# Allow mplayer executable stack +# +allow_mplayer_execstack = false + +# +# Allow mysqld to connect to all ports +# +mysql_connect_any = false + +# +# Allow openvpn to read home directories +# +openvpn_enable_homedirs = false + +# +# Allow the portage domains to use NFS mounts (regular nfs_t) +# +portage_use_nfs = false + +# +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# +# Allow privoxy to connect to all ports, not just +# HTTP, FTP, and Gopher ports. +# +privoxy_connect_any = false + +# +# Allow Puppet client to manage all file +# types. +# +puppet_manage_all_files = false + +# +# Allow qemu to connect fully to the network +# +qemu_full_network = false + +# +# Allow qemu to use cifs/Samba file systems +# +qemu_use_cifs = true + +# +# Allow qemu to use serial/parallel communication ports +# +qemu_use_comm = false + +# +# Allow qemu to use nfs file systems +# +qemu_use_nfs = true + +# +# Allow qemu to use usb devices +# +qemu_use_usb = true + +# +# Allow rgmanager domain to connect to the network using TCP. +# +rgmanager_can_network_connect = false + +# +# Allow fenced domain to connect to the network using TCP. +# +fenced_can_network_connect = false + +# +# Allow gssd to read temp directory. For access to kerberos tgt. +# +allow_gssd_read_tmp = true + +# +# Allow nfs servers to modify public files +# used for public file transfer services. Files/Directories must be +# labeled public_content_rw_t. +# +allow_nfsd_anon_write = false + +# +# Allow rsync to export any files/directories read only. +# +rsync_export_all_ro = false + +# +# Allow rsync to modify public files +# used for public file transfer services. Files/Directories must be +# labeled public_content_rw_t. +# +allow_rsync_anon_write = false + +# +# Allow samba to modify public files used for public file +# transfer services. Files/Directories must be labeled +# public_content_rw_t. +# +allow_smbd_anon_write = false + +# +# Allow samba to create new home directories (e.g. via PAM) +# +samba_create_home_dirs = false + +# +# Allow samba to act as the domain controller, add users, +# groups and change passwords. +# +samba_domain_controller = false + +# +# Allow samba to share users home directories. +# +samba_enable_home_dirs = false + +# +# Allow samba to share any file/directory read only. +# +samba_export_all_ro = false + +# +# Allow samba to share any file/directory read/write. +# +samba_export_all_rw = false + +# +# Allow samba to run unconfined scripts +# +samba_run_unconfined = false + +# +# Allow samba to export NFS volumes. +# +samba_share_nfs = false + +# +# Allow samba to export ntfs/fusefs volumes. +# +samba_share_fusefs = false + +# +# Allow confined virtual guests to manage nfs files +# +sanlock_use_nfs = false + +# +# Allow confined virtual guests to manage cifs files +# +sanlock_use_samba = false + +# +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# +# Enable additional permissions needed to support +# devices on 3ware controllers. +# +smartmon_3ware = false + +# +# Allow user spamassassin clients to use the network. +# +spamassassin_can_network = false + +# +# Allow spamd to read/write user home directories. +# +spamd_enable_home_dirs = true + +# +# Allow squid to connect to all ports, not just +# HTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# +# Allow squid to run as a transparent proxy (TPROXY) +# +squid_use_tproxy = false + +# +# Allow the Telepathy connection managers +# to connect to any generic TCP port. +# +telepathy_tcp_connect_generic_network_ports = false + +# +# Allow the Telepathy connection managers +# to connect to any network port. +# +telepathy_connect_all_ports = false + +# +# Allow tftp to modify public files +# used for public file transfer services. +# +tftp_anon_write = false + +# +# Allow tor daemon to bind +# tcp sockets to all unreserved ports. +# +tor_bind_all_unreserved_ports = false + +# +# Allow varnishd to connect to all ports, +# not just HTTP. +# +varnishd_connect_any = false + +# +# Ignore vbetool mmap_zero errors. +# +vbetool_mmap_zero_ignore = false + +# +# Allow virt to use serial/parallell communication ports +# +virt_use_comm = false + +# +# Allow virt to read fuse files +# +virt_use_fusefs = false + +# +# Allow virt to manage nfs files +# +virt_use_nfs = false + +# +# Allow virt to manage cifs files +# +virt_use_samba = false + +# +# Allow virt to manage device configuration, (pci) +# +virt_use_sysfs = false + +# +# Allow virt to use usb devices +# +virt_use_usb = true + +# +# Allow webadm to manage files in users home directories +# +webadm_manage_user_files = false + +# +# Allow webadm to read files in users home directories +# +webadm_read_user_files = false + +# +# Ignore wine mmap_zero errors. +# +wine_mmap_zero_ignore = false + +# +# Allow xend to run blktapctrl/tapdisk. +# Not required if using dedicated logical volumes for disk images. +# +xend_run_blktap = true + +# +# Allow xend to run qemu-dm. +# Not required if using paravirt and no vfb. +# +xend_run_qemu = true + +# +# Allow xen to manage nfs files +# +xen_use_nfs = false + +# +# Allow xguest users to mount removable media +# +xguest_mount_media = true + +# +# Allow xguest to configure Network Manager +# +xguest_connect_network = true + +# +# Allow xguest to use blue tooth devices +# +xguest_use_bluetooth = true + +# +# Allow zebra daemon to write it configuration files +# +allow_zebra_write_config = false + +# +# Control the ability to mmap a low area of the address space, +# as configured by /proc/sys/kernel/mmap_min_addr. +# +mmap_low_allowed = false + +# +# Allow sysadm to debug or ptrace all processes. +# +allow_ptrace = false + +# +# Allow unprived users to execute DDL statement +# +sepgsql_enable_users_ddl = true + +# +# Allow database admins to execute DML statement +# +sepgsql_unconfined_dbadm = true + +# +# allow host key based authentication +# +allow_ssh_keysign = false + +# +# Allow ssh logins as sysadm_r:sysadm_t +# +ssh_sysadm_login = false + +# +# Allows clients to write to the X server shared +# memory segments. +# +allow_write_xshm = false + +# +# Allow xdm logins as sysadm +# +xdm_sysadm_login = false + +# +# Support X userspace object manager +# +xserver_object_manager = false + +# +# Enable support for upstart as the init program. +# +init_upstart = false + +# +# Allow racoon to read shadow +# +racoon_read_shadow = false + +# +# Allow the mount command to mount any directory or file. +# +allow_mount_anyfile = false + +# +# Allow users to connect to mysql +# +allow_user_mysql_connect = false + +# +# Allow users to connect to PostgreSQL +# +allow_user_postgresql_connect = false + +# +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# +# Allow users to read system messages. +# +user_dmesg = false + +# +# Allow user to r/w files on filesystems +# that do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# +# Allow w to display everyone +# +user_ttyfile_stat = false + +# +# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla +# +allow_execheap = false + +# +# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +# +allow_execmem = false + +# +# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +# +allow_execmod = false + +# +# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +# +allow_execstack = false + +# +# Enable polyinstantiated directory support. +# +allow_polyinstantiation = false + +# +# Allow system to run with NIS +# +allow_ypbind = false + +# +# Allow logging in and using the system from /dev/console. +# +console_login = true + +# +# Enable reading of urandom for all domains. +# +# +# +# +# This should be enabled when all programs +# are compiled with ProPolice/SSP +# stack smashing protection. All domains will +# be allowed to read from /dev/urandom. +# +global_ssp = false + +# +# Allow email client to various content. +# nfs, samba, removable devices, and user temp +# files +# +mail_read_content = false + +# +# Allow any files/directories to be exported read/write via NFS. +# +nfs_export_all_rw = false + +# +# Allow any files/directories to be exported read/only via NFS. +# +nfs_export_all_ro = false + +# +# Support NFS home directories +# +use_nfs_home_dirs = false + +# +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# +# Allow users to run TCP servers (bind to ports and accept connection from +# the same domain and outside users) disabling this forces FTP passive mode +# and may change other protocols. +# +user_tcp_server = false + |