From 5a4ed49eb12296e154d860f3c724c487a182e682 Mon Sep 17 00:00:00 2001 From: Jason Zaman Date: Thu, 11 Nov 2021 17:49:54 -0800 Subject: Update generated policy and doc files Signed-off-by: Jason Zaman --- policy/booleans.conf | 106 ++++++++++++++++++++------------------------------- 1 file changed, 42 insertions(+), 64 deletions(-) (limited to 'policy/booleans.conf') diff --git a/policy/booleans.conf b/policy/booleans.conf index 38a4ea50f..368c5856b 100644 --- a/policy/booleans.conf +++ b/policy/booleans.conf @@ -4,12 +4,16 @@ secure_mode_insmod = false # -# Boolean to determine whether the system permits loading policy, setting -# enforcing mode, and changing boolean values. Set this to true and you -# have to reboot to set it back. +# Boolean to determine whether the system permits loading policy, and setting +# enforcing mode. Set this to true and you have to reboot to set it back. # secure_mode_policyload = false +# +# Boolean to determine whether the system permits setting Booelan values. +# +secure_mode_setbool = false + # # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative @@ -44,6 +48,12 @@ firstboot_manage_generic_user_content = false # firstboot_manage_all_user_content = false +# +# Determine whether logrotate can manage +# audit log files +# +logrotate_manage_audit_log = false + # # Determine whether logwatch can connect # to mail over the network. @@ -720,6 +730,11 @@ pan_manage_user_content = false # phpfpm_use_ldap = false +# +# Allow phpfpm to send syslog messages +# +phpfpm_send_syslog_msg = false + # # Allow rtorrent to use dht. # The correspondig port must be rtorrent_udp_port_t. @@ -766,17 +781,6 @@ dbadm_manage_user_files = false # dbadm_read_user_files = false -# -# Allow sysadm to debug or ptrace all processes. -# -allow_ptrace = false - -# -# Allow sysadm to read/write to fifo files inherited from -# a domain allowed to change role. -# -sysadm_allow_rw_inherited_fifo = false - # # Determine whether webadm can # manage generic user files. @@ -1085,6 +1089,12 @@ allow_httpd_bugzilla_script_anon_write = false # certbot_acmesh = false +# +# Determine whether chronyd can access NIC hardware +# timestamping features +# +chronyd_hwtimestamp = false + # # Determine whether clamscan can # read user content files. @@ -1220,14 +1230,6 @@ dhcpd_use_ldap = false # dovecot_can_connect_db = false -# -# Determine whether the script domain can -# modify public files used for public file -# transfer services. Directories/Files must -# be labeled public_content_rw_t. -# -allow_httpd_dspam_script_anon_write = false - # # Determine whether entropyd can use # audio devices as the source for @@ -1388,6 +1390,13 @@ git_system_use_cifs = false # git_system_use_nfs = false +# +# Determine whether Git client domains +# can manage all user home content, +# including application-specific data. +# +git_client_manage_all_user_home_content = false + # # Determine whether the script domain can # modify public files used for public file @@ -1514,31 +1523,6 @@ openvpn_can_network_connect = false # pacemaker_startstop_all_services = false -# -# Determine whether Polipo system -# daemon can access CIFS file systems. -# -polipo_system_use_cifs = false - -# -# Determine whether Polipo system -# daemon can access NFS file systems. -# -polipo_system_use_nfs = false - -# -# Determine whether calling user domains -# can execute Polipo daemon in the -# polipo_session_t domain. -# -polipo_session_users = false - -# -# Determine whether Polipo session daemon -# can send syslog messages. -# -polipo_session_send_syslog_msg = false - # # Determine whether postfix local # can manage mail spool content. @@ -1606,23 +1590,6 @@ allow_httpd_prewikka_script_anon_write = false # privoxy_connect_any = false -# -# Determine whether rgmanager can -# connect to the network using TCP. -# -rgmanager_can_network_connect = false - -# -# Determine whether fenced can -# connect to the TCP network. -# -fenced_can_network_connect = false - -# -# Determine whether fenced can use ssh. -# -fenced_can_ssh = false - # # Determine whether gssd can read # generic user temporary content. @@ -1967,6 +1934,11 @@ zabbix_can_network = false # allow_zebra_write_config = false +# +# Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. +# +authlogin_pam = true + # # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server # @@ -2033,6 +2005,12 @@ systemd_socket_proxyd_bind_any = false # systemd_socket_proxyd_connect_any = false +# +# Allow systemd-tmpfilesd to populate missing configuration files from factory +# template directory. +# +systemd_tmpfilesd_factory = false + # # Determine whether tmpfiles can manage # all non-security sensitive resources. -- cgit v1.2.3-65-gdbad