SOURCES: refpolicy-booleans-mls.conf (NEW), refpolicy-booleans-str...

zbyniu zbyniu at pld-linux.org
Thu Apr 27 03:23:24 CEST 2006


Author: zbyniu                       Date: Thu Apr 27 01:23:24 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- initial

---- Files affected:
SOURCES:
   refpolicy-booleans-mls.conf (NONE -> 1.1)  (NEW), refpolicy-booleans-strict.conf (NONE -> 1.1)  (NEW), refpolicy-booleans-targeted.conf (NONE -> 1.1)  (NEW), refpolicy-config (NONE -> 1.1)  (NEW), refpolicy-makefile.patch (NONE -> 1.1)  (NEW), refpolicy-modules-mls.conf (NONE -> 1.1)  (NEW), refpolicy-modules-strict.conf (NONE -> 1.1)  (NEW), refpolicy-modules-targeted.conf (NONE -> 1.1)  (NEW), refpolicy-pld.patch (NONE -> 1.1)  (NEW), refpolicy-setrans-mls.conf (NONE -> 1.1)  (NEW), refpolicy-setrans-strict.conf (NONE -> 1.1)  (NEW), refpolicy-setrans-targeted.conf (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/refpolicy-booleans-mls.conf
diff -u /dev/null SOURCES/refpolicy-booleans-mls.conf:1.1
--- /dev/null	Thu Apr 27 03:23:24 2006
+++ SOURCES/refpolicy-booleans-mls.conf	Thu Apr 27 03:23:18 2006
@@ -0,0 +1,209 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = true
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+allow_execstack = true
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+allow_gssd_read_tmp = false
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
+
+# Allow sysadm to ptrace all processes
+# 
+allow_ptrace = false
+
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
+
+# Allow ftp to read and write files in the user home directories
+# 
+ftp_home_dir = false
+
+# Allow ftpd to run directly without inetd
+# 
+ftpd_is_daemon = true
+
+# Allow httpd to use built in scripting (usually php)
+# 
+httpd_builtin_scripting = false
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = false
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
+nfs_export_all_rw = false
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = false
+
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow ssh to run from inetd instead of as a daemon.
+# 
+run_ssh_inetd = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+# Allow ssh logins as sysadm_r:sysadm_t
+# 
+ssh_sysadm_login = false
+
+# Configure stunnel to be a standalone daemon orinetd service.
+# 
+stunnel_is_daemon = false
+
+# Support NFS home directories
+# 
+use_nfs_home_dirs = false
+
+# Support SAMBA home directories
+# 
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+# Allow gpg executable stack
+# 
+allow_gpg_execstack = false
+
+# allow host key based authentication
+# 
+allow_ssh_keysign = false
+
+# Allow users to connect to mysql
+# 
+allow_user_mysql_connect = false
+
+# Allow system cron jobs to relabel filesystemfor restoring file contexts.
+# 
+cron_can_relabel = false
+
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+# 
+read_untrusted_content = false
+
+# Allow user spamassassin clients to use the network.
+# 
+spamassassin_can_network = false
+
+# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
+# 
+staff_read_sysadm_file = false
+
+# Allow regular users direct mouse access
+# 
+user_direct_mouse = false
+
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
+# Allow users to control network interfaces(also needs USERCTL=true)
+# 
+user_net_control = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = false
+
+# Allow users to rw usb devices
+# 
+user_rw_usb = false
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
+# 
+user_tcp_server = false
+
+# Allow w to display everyone
+# 
+user_ttyfile_stat = false
+
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+# 
+write_untrusted_content = false
+
+spamd_enable_home_dirs = false
\ No newline at end of file

================================================================
Index: SOURCES/refpolicy-booleans-strict.conf
diff -u /dev/null SOURCES/refpolicy-booleans-strict.conf:1.1
--- /dev/null	Thu Apr 27 03:23:24 2006
+++ SOURCES/refpolicy-booleans-strict.conf	Thu Apr 27 03:23:19 2006
@@ -0,0 +1,229 @@
+#
+# Enabling secure mode disallows programs, such as
+# newrole, from transitioning to administrative
+# user domains.
+#
+secure_mode = false
+
+#
+# Disable transitions to insmod.
+#
+secure_mode_insmod = false
+
+#
+# boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values.  Set this to true and you
+# have to reboot to set it back
+#
+secure_mode_policyload = false
+
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+#
+allow_execmem = true
+
+# Allow making a modified private filemapping executable (text relocation).
+#
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.
+# Also requires allow_execmem.
+#
+allow_execstack = true
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+#
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+#
+allow_gssd_read_tmp = false
+
+# Allow Apache to modify public filesused for public file transfer services.
+#
+allow_httpd_anon_write = false
+
+# Allow system to run with kerberos
+#
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+#
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+#
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+#
+allow_smbd_anon_write = false
+
+# Allow sysadm to ptrace all processes
+#
+allow_ptrace = false
+
+# Allow system to run with NIS
+#
+allow_ypbind = false
+
+# Enable extra rules in the cron domainto support fcron.
+#
+fcron_crond = false
+
+# Allow ftp to read and write files in the user home directories
+#
+ftp_home_dir = false
+
+# Allow ftpd to run directly without inetd
+#
+ftpd_is_daemon = true
+
+# Allow httpd to use built in scripting (usually php)
+#
+httpd_builtin_scripting = false
+
+# Allow http daemon to tcp connect
+#
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+#
+httpd_enable_cgi = false
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+#
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+#
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+#
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+#
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+#
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+#
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+#
+nfs_export_all_rw = false
+
+# Allow nfs to be exported read only
+#
+nfs_export_all_ro = false
+
+# Allow pppd to load kernel modules for certain modems
+#
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+#
+read_default_t = false
+
+# Allow ssh to run from inetd instead of as a daemon.
+#
+run_ssh_inetd = false
+
+# Allow samba to export user home directories.
+#
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+#
+squid_connect_any = false
+
+# Allow ssh logins as sysadm_r:sysadm_t
+#
+ssh_sysadm_login = false
+
+# Configure stunnel to be a standalone daemon orinetd service.
+#
+stunnel_is_daemon = false
+
+# Support NFS home directories
+#
+use_nfs_home_dirs = false
+
+# Support SAMBA home directories
+#
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+#
+user_ping = false
+
+# Allow gpg executable stack
+#
+allow_gpg_execstack = false
+
+# allow host key based authentication
+#
+allow_ssh_keysign = false
+
+# Allow users to connect to mysql
+#
+allow_user_mysql_connect = false
+
+# Allow system cron jobs to relabel filesystemfor restoring file contexts.
+#
+cron_can_relabel = false
+
+# Allow pppd to be run for a regular user
+#
+pppd_for_user = false
+
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+#
+read_untrusted_content = false
+
+# Allow user spamassassin clients to use the network.
+#
+spamassassin_can_network = false
+
+# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
+#
+staff_read_sysadm_file = false
+
+# Allow regular users direct mouse access
+#
+user_direct_mouse = false
+
+# Allow users to read system messages.
+#
+user_dmesg = false
+
+# Allow users to control network interfaces(also needs USERCTL=true)
+#
+user_net_control = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+#
+user_rw_noexattrfile = false
+
+# Allow users to rw usb devices
+#
+user_rw_usb = false
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
+#
+user_tcp_server = false
+
+# Allow w to display everyone
+#
+user_ttyfile_stat = false
+
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+#
+write_untrusted_content = false
+
+spamd_enable_home_dirs = false

================================================================
Index: SOURCES/refpolicy-booleans-targeted.conf
diff -u /dev/null SOURCES/refpolicy-booleans-targeted.conf:1.1
--- /dev/null	Thu Apr 27 03:23:24 2006
+++ SOURCES/refpolicy-booleans-targeted.conf	Thu Apr 27 03:23:19 2006
@@ -0,0 +1,216 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = true
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+allow_execstack = true
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+allow_gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
+
+# Allow sysadm to ptrace all processes
+# 
+allow_ptrace = false
+
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
+
+# Allow ftp to read and write files in the user home directories
+# 
+ftp_home_dir = false
+
+# Allow ftpd to run directly without inetd
+# 
+ftpd_is_daemon = true
+
+#
+# allow httpd to connect to mysql/posgresql 
+httpd_can_network_connect_db = false
+
+#
+# allow httpd to network relay
+httpd_can_network_relay = false
+
+# Allow httpd to use built in scripting (usually php)
+# 
+httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = true
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = true
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = true
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
+nfs_export_all_rw = true
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = true
+
+# Allow ssh to run from inetd instead of as a daemon.
+# 
+run_ssh_inetd = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+# Allow ssh logins as sysadm_r:sysadm_t
+# 
+ssh_sysadm_login = false
+
+# Configure stunnel to be a standalone daemon orinetd service.
+# 
+stunnel_is_daemon = false
+
<<Diff was trimmed, longer than 597 lines>>


More information about the pld-cvs-commit mailing list