diff options
author | Jason Zaman <perfinion@gentoo.org> | 2021-11-11 17:49:54 -0800 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-11-11 17:53:00 -0800 |
commit | 5a4ed49eb12296e154d860f3c724c487a182e682 (patch) | |
tree | 4d4d5b474597f9af84e12d76dac0c1c831bf217a /policy | |
parent | modutils.fc: Added Gentoo specific modules_conf_t paths. (diff) | |
download | hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.gz hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.bz2 hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.zip |
Update generated policy and doc files
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy')
-rw-r--r-- | policy/booleans.conf | 106 | ||||
-rw-r--r-- | policy/modules.conf | 168 |
2 files changed, 42 insertions, 232 deletions
diff --git a/policy/booleans.conf b/policy/booleans.conf index 38a4ea50f..368c5856b 100644 --- a/policy/booleans.conf +++ b/policy/booleans.conf @@ -4,13 +4,17 @@ secure_mode_insmod = false # -# Boolean to determine whether the system permits loading policy, setting -# enforcing mode, and changing boolean values. Set this to true and you -# have to reboot to set it back. +# Boolean to determine whether the system permits loading policy, and setting +# enforcing mode. Set this to true and you have to reboot to set it back. # secure_mode_policyload = false # +# Boolean to determine whether the system permits setting Booelan values. +# +secure_mode_setbool = false + +# # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative # user domains. @@ -45,6 +49,12 @@ firstboot_manage_generic_user_content = false firstboot_manage_all_user_content = false # +# Determine whether logrotate can manage +# audit log files +# +logrotate_manage_audit_log = false + +# # Determine whether logwatch can connect # to mail over the network. # @@ -721,6 +731,11 @@ pan_manage_user_content = false phpfpm_use_ldap = false # +# Allow phpfpm to send syslog messages +# +phpfpm_send_syslog_msg = false + +# # Allow rtorrent to use dht. # The correspondig port must be rtorrent_udp_port_t. # @@ -767,17 +782,6 @@ dbadm_manage_user_files = false dbadm_read_user_files = false # -# Allow sysadm to debug or ptrace all processes. -# -allow_ptrace = false - -# -# Allow sysadm to read/write to fifo files inherited from -# a domain allowed to change role. -# -sysadm_allow_rw_inherited_fifo = false - -# # Determine whether webadm can # manage generic user files. # @@ -1086,6 +1090,12 @@ allow_httpd_bugzilla_script_anon_write = false certbot_acmesh = false # +# Determine whether chronyd can access NIC hardware +# timestamping features +# +chronyd_hwtimestamp = false + +# # Determine whether clamscan can # read user content files. # @@ -1221,14 +1231,6 @@ dhcpd_use_ldap = false dovecot_can_connect_db = false # -# Determine whether the script domain can -# modify public files used for public file -# transfer services. Directories/Files must -# be labeled public_content_rw_t. -# -allow_httpd_dspam_script_anon_write = false - -# # Determine whether entropyd can use # audio devices as the source for # the entropy feeds. @@ -1389,6 +1391,13 @@ git_system_use_cifs = false git_system_use_nfs = false # +# Determine whether Git client domains +# can manage all user home content, +# including application-specific data. +# +git_client_manage_all_user_home_content = false + +# # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must @@ -1515,31 +1524,6 @@ openvpn_can_network_connect = false pacemaker_startstop_all_services = false # -# Determine whether Polipo system -# daemon can access CIFS file systems. -# -polipo_system_use_cifs = false - -# -# Determine whether Polipo system -# daemon can access NFS file systems. -# -polipo_system_use_nfs = false - -# -# Determine whether calling user domains -# can execute Polipo daemon in the -# polipo_session_t domain. -# -polipo_session_users = false - -# -# Determine whether Polipo session daemon -# can send syslog messages. -# -polipo_session_send_syslog_msg = false - -# # Determine whether postfix local # can manage mail spool content. # @@ -1607,23 +1591,6 @@ allow_httpd_prewikka_script_anon_write = false privoxy_connect_any = false # -# Determine whether rgmanager can -# connect to the network using TCP. -# -rgmanager_can_network_connect = false - -# -# Determine whether fenced can -# connect to the TCP network. -# -fenced_can_network_connect = false - -# -# Determine whether fenced can use ssh. -# -fenced_can_ssh = false - -# # Determine whether gssd can read # generic user temporary content. # @@ -1968,6 +1935,11 @@ zabbix_can_network = false allow_zebra_write_config = false # +# Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. +# +authlogin_pam = true + +# # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server # authlogin_nsswitch_use_ldap = false @@ -2034,6 +2006,12 @@ systemd_socket_proxyd_bind_any = false systemd_socket_proxyd_connect_any = false # +# Allow systemd-tmpfilesd to populate missing configuration files from factory +# template directory. +# +systemd_tmpfilesd_factory = false + +# # Determine whether tmpfiles can manage # all non-security sensitive resources. # Without this, it is only allowed rights towards diff --git a/policy/modules.conf b/policy/modules.conf index 205c52fe6..2a5a2aeb8 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -173,13 +173,6 @@ backup = module bacula = module # Layer: admin -# Module: bcfg2 -# -# configuration management suite. -# -bcfg2 = module - -# Layer: admin # Module: blueman # # Tool to manage Bluetooth devices. @@ -229,13 +222,6 @@ chkrootkit = module consoletype = module # Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information. -# -ddcprobe = module - -# Layer: admin # Module: dmesg # # Policy for dmesg. @@ -636,13 +622,6 @@ livecd = module loadkeys = module # Layer: apps -# Module: lockdev -# -# Library for locking devices. -# -lockdev = module - -# Layer: apps # Module: man2html # # A Unix manpage-to-HTML converter. @@ -1119,13 +1098,6 @@ acpi = module afs = module # Layer: services -# Module: aiccu -# -# Automatic IPv6 Connectivity Client Utility. -# -aiccu = module - -# Layer: services # Module: aisexec # # Aisexec Cluster Engine. @@ -1238,13 +1210,6 @@ bugzilla = module cachefilesd = module # Layer: services -# Module: callweaver -# -# PBX software. -# -callweaver = module - -# Layer: services # Module: canna # # Kana-kanji conversion server. @@ -1252,13 +1217,6 @@ callweaver = module canna = module # Layer: services -# Module: ccs -# -# Cluster Configuration System. -# -ccs = module - -# Layer: services # Module: certbot # # SSL certificate requesting tool certbot AKA letsencrypt. @@ -1301,13 +1259,6 @@ cgroup = module chronyd = module # Layer: services -# Module: cipe -# -# Encrypted tunnel daemon. -# -cipe = module - -# Layer: services # Module: clamav # # ClamAV Virus Scanner. @@ -1315,27 +1266,6 @@ cipe = module clamav = module # Layer: services -# Module: clockspeed -# -# Clock speed measurement and manipulation. -# -clockspeed = module - -# Layer: services -# Module: clogd -# -# Clustered Mirror Log Server. -# -clogd = module - -# Layer: services -# Module: cmirrord -# -# Cluster mirror log daemon. -# -cmirrord = module - -# Layer: services # Module: cobbler # # Cobbler installation server. @@ -1469,13 +1399,6 @@ dbskk = module dbus = module # Layer: services -# Module: dcc -# -# Distributed checksum clearinghouse spam filtering. -# -dcc = module - -# Layer: services # Module: ddclient # # Update dynamic IP address at DynDNS.org. @@ -1483,13 +1406,6 @@ dcc = module ddclient = module # Layer: services -# Module: denyhosts -# -# SSH dictionary attack mitigation. -# -denyhosts = module - -# Layer: services # Module: devicekit # # Devicekit modular hardware abstraction layer. @@ -1560,13 +1476,6 @@ dovecot = module drbd = module # Layer: services -# Module: dspam -# -# Content-based spam filter designed for multi-user enterprise systems. -# -dspam = module - -# Layer: services # Module: entropyd # # Generate entropy from audio input. @@ -1721,13 +1630,6 @@ hddtemp = module hostapd = module # Layer: services -# Module: howl -# -# Port of Apple Rendezvous multicast DNS. -# -howl = module - -# Layer: services # Module: hypervkvp # # HyperV key value pair (KVP). @@ -1756,13 +1658,6 @@ icecast = module ifplugd = module # Layer: services -# Module: imaze -# -# iMaze game server. -# -imaze = module - -# Layer: services # Module: inetd # # Internet services daemon. @@ -1812,13 +1707,6 @@ isns = module jabber = module # Layer: services -# Module: jockey -# -# Jockey driver manager. -# -jockey = module - -# Layer: services # Module: kerberos # # MIT Kerberos admin and KDC. @@ -1854,13 +1742,6 @@ knot = module ksmtuned = module # Layer: services -# Module: ktalk -# -# KDE Talk daemon. -# -ktalk = module - -# Layer: services # Module: l2tp # # Layer 2 Tunneling Protocol. @@ -1917,13 +1798,6 @@ lsm = module mailman = module # Layer: services -# Module: mailscanner -# -# E-mail security and anti-spam package for e-mail gateway systems. -# -mailscanner = module - -# Layer: services # Module: mediawiki # # Open source wiki package written in PHP. @@ -2120,13 +1994,6 @@ nut = module nx = module # Layer: services -# Module: oav -# -# Open AntiVirus scannerdaemon and signature update. -# -oav = module - -# Layer: services # Module: obex # # D-Bus service providing high-level OBEX client and server side functionality. @@ -2246,13 +2113,6 @@ plymouthd = module policykit = module # Layer: services -# Module: polipo -# -# Lightweight forwarding and caching proxy server. -# -polipo = module - -# Layer: services # Module: portmap # # RPC port mapping service. @@ -2358,13 +2218,6 @@ pwauth = module pxe = module # Layer: services -# Module: pyicqt -# -# ICQ transport for XMPP server. -# -pyicqt = module - -# Layer: services # Module: pyzor # # Pyzor is a distributed, collaborative spam detection and filtering network. @@ -2456,20 +2309,6 @@ remotelogin = module resmgr = module # Layer: services -# Module: rgmanager -# -# Resource Group Manager. -# -rgmanager = module - -# Layer: services -# Module: rhcs -# -# Red Hat Cluster Suite. -# -rhcs = module - -# Layer: services # Module: rhsmcertd # # Subscription Management Certificate Daemon. @@ -2477,13 +2316,6 @@ rhcs = module rhsmcertd = module # Layer: services -# Module: ricci -# -# Ricci cluster management agent. -# -ricci = module - -# Layer: services # Module: rlogin # # Remote login daemon. |