Update generated policy and doc files

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
author: Jason Zaman <perfinion@gentoo.org> 2021-11-11 17:49:54 -0800
committer: Jason Zaman <perfinion@gentoo.org> 2021-11-11 17:53:00 -0800
commit: 5a4ed49eb12296e154d860f3c724c487a182e682 (patch)
tree: 4d4d5b474597f9af84e12d76dac0c1c831bf217a /policy
parent: modutils.fc: Added Gentoo specific modules_conf_t paths. (diff)
download: hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.gz
hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.bz2
hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.zip
2 files changed, 42 insertions, 232 deletions
diff --git a/policy/booleans.conf b/policy/booleans.conf
index 38a4ea50f..368c5856b 100644
--- a/policy/booleans.conf
+++ b/policy/booleans.conf
@@ -4,13 +4,17 @@
 secure_mode_insmod = false
 
 #
-# Boolean to determine whether the system permits loading policy, setting
-# enforcing mode, and changing boolean values.  Set this to true and you
-# have to reboot to set it back.
+# Boolean to determine whether the system permits loading policy, and setting
+# enforcing mode.  Set this to true and you have to reboot to set it back.
 # 
 secure_mode_policyload = false
 
 #
+# Boolean to determine whether the system permits setting Booelan values.
+# 
+secure_mode_setbool = false
+
+#
 # Enabling secure mode disallows programs, such as
 # newrole, from transitioning to administrative
 # user domains.
@@ -45,6 +49,12 @@ firstboot_manage_generic_user_content = false
 firstboot_manage_all_user_content = false
 
 #
+# Determine whether logrotate can manage
+# audit log files
+# 
+logrotate_manage_audit_log = false
+
+#
 # Determine whether logwatch can connect
 # to mail over the network.
 # 
@@ -721,6 +731,11 @@ pan_manage_user_content = false
 phpfpm_use_ldap = false
 
 #
+# Allow phpfpm to send syslog messages
+# 
+phpfpm_send_syslog_msg = false
+
+#
 # Allow rtorrent to use dht.
 # The correspondig port must be rtorrent_udp_port_t.
 # 
@@ -767,17 +782,6 @@ dbadm_manage_user_files = false
 dbadm_read_user_files = false
 
 #
-# Allow sysadm to debug or ptrace all processes.
-# 
-allow_ptrace = false
-
-#
-# Allow sysadm to read/write to fifo files inherited from
-# a domain allowed to change role.
-# 
-sysadm_allow_rw_inherited_fifo = false
-
-#
 # Determine whether webadm can
 # manage generic user files.
 # 
@@ -1086,6 +1090,12 @@ allow_httpd_bugzilla_script_anon_write = false
 certbot_acmesh = false
 
 #
+# Determine whether chronyd can access NIC hardware
+# timestamping features
+# 
+chronyd_hwtimestamp = false
+
+#
 # Determine whether clamscan can
 # read user content files.
 # 
@@ -1221,14 +1231,6 @@ dhcpd_use_ldap = false
 dovecot_can_connect_db = false
 
 #
-# Determine whether the script domain can
-# modify public files used for public file
-# transfer services. Directories/Files must
-# be labeled public_content_rw_t.
-# 
-allow_httpd_dspam_script_anon_write = false
-
-#
 # Determine whether entropyd can use
 # audio devices as the source for
 # the entropy feeds.
@@ -1389,6 +1391,13 @@ git_system_use_cifs = false
 git_system_use_nfs = false
 
 #
+# Determine whether Git client domains
+# can manage all user home content,
+# including application-specific data.
+# 
+git_client_manage_all_user_home_content = false
+
+#
 # Determine whether the script domain can
 # modify public files used for public file
 # transfer services. Directories/Files must
@@ -1515,31 +1524,6 @@ openvpn_can_network_connect = false
 pacemaker_startstop_all_services = false
 
 #
-# Determine whether Polipo system
-# daemon can access CIFS file systems.
-# 
-polipo_system_use_cifs = false
-
-#
-# Determine whether Polipo system
-# daemon can access NFS file systems.
-# 
-polipo_system_use_nfs = false
-
-#
-# Determine whether calling user domains
-# can execute Polipo daemon in the
-# polipo_session_t domain.
-# 
-polipo_session_users = false
-
-#
-# Determine whether Polipo session daemon
-# can send syslog messages.
-# 
-polipo_session_send_syslog_msg = false
-
-#
 # Determine whether postfix local
 # can manage mail spool content.
 # 
@@ -1607,23 +1591,6 @@ allow_httpd_prewikka_script_anon_write = false
 privoxy_connect_any = false
 
 #
-# Determine whether rgmanager can
-# connect to the network using TCP.
-# 
-rgmanager_can_network_connect = false
-
-#
-# Determine whether fenced can
-# connect to the TCP network.
-# 
-fenced_can_network_connect = false
-
-#
-# Determine whether fenced can use ssh.
-# 
-fenced_can_ssh = false
-
-#
 # Determine whether gssd can read
 # generic user temporary content.
 # 
@@ -1968,6 +1935,11 @@ zabbix_can_network = false
 allow_zebra_write_config = false
 
 #
+# Allow PAM usage.  If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
+# 
+authlogin_pam = true
+
+#
 # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
 # 
 authlogin_nsswitch_use_ldap = false
@@ -2034,6 +2006,12 @@ systemd_socket_proxyd_bind_any = false
 systemd_socket_proxyd_connect_any = false
 
 #
+# Allow systemd-tmpfilesd to populate missing configuration files from factory
+# template directory.
+# 
+systemd_tmpfilesd_factory = false
+
+#
 # Determine whether tmpfiles can manage
 # all non-security sensitive resources.
 # Without this, it is only allowed rights towards
diff --git a/policy/modules.conf b/policy/modules.conf
index 205c52fe6..2a5a2aeb8 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -173,13 +173,6 @@ backup = module
 bacula = module
 
 # Layer: admin
-# Module: bcfg2
-#
-# configuration management suite.
-# 
-bcfg2 = module
-
-# Layer: admin
 # Module: blueman
 #
 # Tool to manage Bluetooth devices.
@@ -229,13 +222,6 @@ chkrootkit = module
 consoletype = module
 
 # Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information.
-# 
-ddcprobe = module
-
-# Layer: admin
 # Module: dmesg
 #
 # Policy for dmesg.
@@ -636,13 +622,6 @@ livecd = module
 loadkeys = module
 
 # Layer: apps
-# Module: lockdev
-#
-# Library for locking devices.
-# 
-lockdev = module
-
-# Layer: apps
 # Module: man2html
 #
 # A Unix manpage-to-HTML converter.
@@ -1119,13 +1098,6 @@ acpi = module
 afs = module
 
 # Layer: services
-# Module: aiccu
-#
-# Automatic IPv6 Connectivity Client Utility.
-# 
-aiccu = module
-
-# Layer: services
 # Module: aisexec
 #
 # Aisexec Cluster Engine.
@@ -1238,13 +1210,6 @@ bugzilla = module
 cachefilesd = module
 
 # Layer: services
-# Module: callweaver
-#
-# PBX software.
-# 
-callweaver = module
-
-# Layer: services
 # Module: canna
 #
 # Kana-kanji conversion server.
@@ -1252,13 +1217,6 @@ callweaver = module
 canna = module
 
 # Layer: services
-# Module: ccs
-#
-# Cluster Configuration System.
-# 
-ccs = module
-
-# Layer: services
 # Module: certbot
 #
 # SSL certificate requesting tool certbot AKA letsencrypt.
@@ -1301,13 +1259,6 @@ cgroup = module
 chronyd = module
 
 # Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon.
-# 
-cipe = module
-
-# Layer: services
 # Module: clamav
 #
 # ClamAV Virus Scanner.
@@ -1315,27 +1266,6 @@ cipe = module
 clamav = module
 
 # Layer: services
-# Module: clockspeed
-#
-# Clock speed measurement and manipulation.
-# 
-clockspeed = module
-
-# Layer: services
-# Module: clogd
-#
-# Clustered Mirror Log Server.
-# 
-clogd = module
-
-# Layer: services
-# Module: cmirrord
-#
-# Cluster mirror log daemon.
-# 
-cmirrord = module
-
-# Layer: services
 # Module: cobbler
 #
 # Cobbler installation server.
@@ -1469,13 +1399,6 @@ dbskk = module
 dbus = module
 
 # Layer: services
-# Module: dcc
-#
-# Distributed checksum clearinghouse spam filtering.
-# 
-dcc = module
-
-# Layer: services
 # Module: ddclient
 #
 # Update dynamic IP address at DynDNS.org.
@@ -1483,13 +1406,6 @@ dcc = module
 ddclient = module
 
 # Layer: services
-# Module: denyhosts
-#
-# SSH dictionary attack mitigation.
-# 
-denyhosts = module
-
-# Layer: services
 # Module: devicekit
 #
 # Devicekit modular hardware abstraction layer.
@@ -1560,13 +1476,6 @@ dovecot = module
 drbd = module
 
 # Layer: services
-# Module: dspam
-#
-# Content-based spam filter designed for multi-user enterprise systems.
-# 
-dspam = module
-
-# Layer: services
 # Module: entropyd
 #
 # Generate entropy from audio input.
@@ -1721,13 +1630,6 @@ hddtemp = module
 hostapd = module
 
 # Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS.
-# 
-howl = module
-
-# Layer: services
 # Module: hypervkvp
 #
 # HyperV key value pair (KVP).
@@ -1756,13 +1658,6 @@ icecast = module
 ifplugd = module
 
 # Layer: services
-# Module: imaze
-#
-# iMaze game server.
-# 
-imaze = module
-
-# Layer: services
 # Module: inetd
 #
 # Internet services daemon.
@@ -1812,13 +1707,6 @@ isns = module
 jabber = module
 
 # Layer: services
-# Module: jockey
-#
-# Jockey driver manager.
-# 
-jockey = module
-
-# Layer: services
 # Module: kerberos
 #
 # MIT Kerberos admin and KDC.
@@ -1854,13 +1742,6 @@ knot = module
 ksmtuned = module
 
 # Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon.
-# 
-ktalk = module
-
-# Layer: services
 # Module: l2tp
 #
 # Layer 2 Tunneling Protocol.
@@ -1917,13 +1798,6 @@ lsm = module
 mailman = module
 
 # Layer: services
-# Module: mailscanner
-#
-# E-mail security and anti-spam package for e-mail gateway systems.
-# 
-mailscanner = module
-
-# Layer: services
 # Module: mediawiki
 #
 # Open source wiki package written in PHP.
@@ -2120,13 +1994,6 @@ nut = module
 nx = module
 
 # Layer: services
-# Module: oav
-#
-# Open AntiVirus scannerdaemon and signature update.
-# 
-oav = module
-
-# Layer: services
 # Module: obex
 #
 # D-Bus service providing high-level OBEX client and server side functionality.
@@ -2246,13 +2113,6 @@ plymouthd = module
 policykit = module
 
 # Layer: services
-# Module: polipo
-#
-# Lightweight forwarding and caching proxy server.
-# 
-polipo = module
-
-# Layer: services
 # Module: portmap
 #
 # RPC port mapping service.
@@ -2358,13 +2218,6 @@ pwauth = module
 pxe = module
 
 # Layer: services
-# Module: pyicqt
-#
-# ICQ transport for XMPP server.
-# 
-pyicqt = module
-
-# Layer: services
 # Module: pyzor
 #
 # Pyzor is a distributed, collaborative spam detection and filtering network.
@@ -2456,20 +2309,6 @@ remotelogin = module
 resmgr = module
 
 # Layer: services
-# Module: rgmanager
-#
-# Resource Group Manager.
-# 
-rgmanager = module
-
-# Layer: services
-# Module: rhcs
-#
-# Red Hat Cluster Suite.
-# 
-rhcs = module
-
-# Layer: services
 # Module: rhsmcertd
 #
 # Subscription Management Certificate Daemon.
@@ -2477,13 +2316,6 @@ rhcs = module
 rhsmcertd = module
 
 # Layer: services
-# Module: ricci
-#
-# Ricci cluster management agent.
-# 
-ricci = module
-
-# Layer: services
 # Module: rlogin
 #
 # Remote login daemon.
author	Jason Zaman <perfinion@gentoo.org>	2021-11-11 17:49:54 -0800
committer	Jason Zaman <perfinion@gentoo.org>	2021-11-11 17:53:00 -0800
commit	5a4ed49eb12296e154d860f3c724c487a182e682 (patch)
tree	4d4d5b474597f9af84e12d76dac0c1c831bf217a /policy
parent	modutils.fc: Added Gentoo specific modules_conf_t paths. (diff)
download	hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.gz hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.bz2 hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.zip