diff options
author | Jason Zaman <perfinion@gentoo.org> | 2021-11-11 17:49:54 -0800 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-11-11 17:53:00 -0800 |
commit | 5a4ed49eb12296e154d860f3c724c487a182e682 (patch) | |
tree | 4d4d5b474597f9af84e12d76dac0c1c831bf217a /policy/booleans.conf | |
parent | modutils.fc: Added Gentoo specific modules_conf_t paths. (diff) | |
download | hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.gz hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.bz2 hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.zip |
Update generated policy and doc files
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/booleans.conf')
-rw-r--r-- | policy/booleans.conf | 106 |
1 files changed, 42 insertions, 64 deletions
diff --git a/policy/booleans.conf b/policy/booleans.conf index 38a4ea50..368c5856 100644 --- a/policy/booleans.conf +++ b/policy/booleans.conf @@ -4,13 +4,17 @@ secure_mode_insmod = false # -# Boolean to determine whether the system permits loading policy, setting -# enforcing mode, and changing boolean values. Set this to true and you -# have to reboot to set it back. +# Boolean to determine whether the system permits loading policy, and setting +# enforcing mode. Set this to true and you have to reboot to set it back. # secure_mode_policyload = false # +# Boolean to determine whether the system permits setting Booelan values. +# +secure_mode_setbool = false + +# # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative # user domains. @@ -45,6 +49,12 @@ firstboot_manage_generic_user_content = false firstboot_manage_all_user_content = false # +# Determine whether logrotate can manage +# audit log files +# +logrotate_manage_audit_log = false + +# # Determine whether logwatch can connect # to mail over the network. # @@ -721,6 +731,11 @@ pan_manage_user_content = false phpfpm_use_ldap = false # +# Allow phpfpm to send syslog messages +# +phpfpm_send_syslog_msg = false + +# # Allow rtorrent to use dht. # The correspondig port must be rtorrent_udp_port_t. # @@ -767,17 +782,6 @@ dbadm_manage_user_files = false dbadm_read_user_files = false # -# Allow sysadm to debug or ptrace all processes. -# -allow_ptrace = false - -# -# Allow sysadm to read/write to fifo files inherited from -# a domain allowed to change role. -# -sysadm_allow_rw_inherited_fifo = false - -# # Determine whether webadm can # manage generic user files. # @@ -1086,6 +1090,12 @@ allow_httpd_bugzilla_script_anon_write = false certbot_acmesh = false # +# Determine whether chronyd can access NIC hardware +# timestamping features +# +chronyd_hwtimestamp = false + +# # Determine whether clamscan can # read user content files. # @@ -1221,14 +1231,6 @@ dhcpd_use_ldap = false dovecot_can_connect_db = false # -# Determine whether the script domain can -# modify public files used for public file -# transfer services. Directories/Files must -# be labeled public_content_rw_t. -# -allow_httpd_dspam_script_anon_write = false - -# # Determine whether entropyd can use # audio devices as the source for # the entropy feeds. @@ -1389,6 +1391,13 @@ git_system_use_cifs = false git_system_use_nfs = false # +# Determine whether Git client domains +# can manage all user home content, +# including application-specific data. +# +git_client_manage_all_user_home_content = false + +# # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must @@ -1515,31 +1524,6 @@ openvpn_can_network_connect = false pacemaker_startstop_all_services = false # -# Determine whether Polipo system -# daemon can access CIFS file systems. -# -polipo_system_use_cifs = false - -# -# Determine whether Polipo system -# daemon can access NFS file systems. -# -polipo_system_use_nfs = false - -# -# Determine whether calling user domains -# can execute Polipo daemon in the -# polipo_session_t domain. -# -polipo_session_users = false - -# -# Determine whether Polipo session daemon -# can send syslog messages. -# -polipo_session_send_syslog_msg = false - -# # Determine whether postfix local # can manage mail spool content. # @@ -1607,23 +1591,6 @@ allow_httpd_prewikka_script_anon_write = false privoxy_connect_any = false # -# Determine whether rgmanager can -# connect to the network using TCP. -# -rgmanager_can_network_connect = false - -# -# Determine whether fenced can -# connect to the TCP network. -# -fenced_can_network_connect = false - -# -# Determine whether fenced can use ssh. -# -fenced_can_ssh = false - -# # Determine whether gssd can read # generic user temporary content. # @@ -1968,6 +1935,11 @@ zabbix_can_network = false allow_zebra_write_config = false # +# Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. +# +authlogin_pam = true + +# # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server # authlogin_nsswitch_use_ldap = false @@ -2034,6 +2006,12 @@ systemd_socket_proxyd_bind_any = false systemd_socket_proxyd_connect_any = false # +# Allow systemd-tmpfilesd to populate missing configuration files from factory +# template directory. +# +systemd_tmpfilesd_factory = false + +# # Determine whether tmpfiles can manage # all non-security sensitive resources. # Without this, it is only allowed rights towards |