diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
| commit | 3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch) | |
| tree | cae07463edd5b609a97513e00d63e1bd410cc8bb /doc/global_tunables.xml | |
| parent | Initial commit (diff) | |
| download | hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2 hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip | |
Pushing 2.20120215 (current version)
Diffstat (limited to 'doc/global_tunables.xml')
| -rw-r--r-- | doc/global_tunables.xml | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/doc/global_tunables.xml b/doc/global_tunables.xml new file mode 100644 index 00000000..c026deaf --- /dev/null +++ b/doc/global_tunables.xml @@ -0,0 +1,108 @@ +<tunable name="allow_execheap" dftval="false"> +<desc> +<p> +Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla +</p> +</desc> +</tunable> +<tunable name="allow_execmem" dftval="false"> +<desc> +<p> +Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +</p> +</desc> +</tunable> +<tunable name="allow_execmod" dftval="false"> +<desc> +<p> +Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +</p> +</desc> +</tunable> +<tunable name="allow_execstack" dftval="false"> +<desc> +<p> +Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +</p> +</desc> +</tunable> +<tunable name="allow_polyinstantiation" dftval="false"> +<desc> +<p> +Enable polyinstantiated directory support. +</p> +</desc> +</tunable> +<tunable name="allow_ypbind" dftval="false"> +<desc> +<p> +Allow system to run with NIS +</p> +</desc> +</tunable> +<tunable name="console_login" dftval="true"> +<desc> +<p> +Allow logging in and using the system from /dev/console. +</p> +</desc> +</tunable> +<tunable name="global_ssp" dftval="false"> +<desc> +<p> +Enable reading of urandom for all domains. +</p> +<p> +This should be enabled when all programs +are compiled with ProPolice/SSP +stack smashing protection. All domains will +be allowed to read from /dev/urandom. +</p> +</desc> +</tunable> +<tunable name="mail_read_content" dftval="false"> +<desc> +<p> +Allow email client to various content. +nfs, samba, removable devices, and user temp +files +</p> +</desc> +</tunable> +<tunable name="nfs_export_all_rw" dftval="false"> +<desc> +<p> +Allow any files/directories to be exported read/write via NFS. +</p> +</desc> +</tunable> +<tunable name="nfs_export_all_ro" dftval="false"> +<desc> +<p> +Allow any files/directories to be exported read/only via NFS. +</p> +</desc> +</tunable> +<tunable name="use_nfs_home_dirs" dftval="false"> +<desc> +<p> +Support NFS home directories +</p> +</desc> +</tunable> +<tunable name="use_samba_home_dirs" dftval="false"> +<desc> +<p> +Support SAMBA home directories +</p> +</desc> +</tunable> +<tunable name="user_tcp_server" dftval="false"> +<desc> +<p> +Allow users to run TCP servers (bind to ports and accept connection from +the same domain and outside users) disabling this forces FTP passive mode +and may change other protocols. +</p> +</desc> +</tunable> |