diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2006-07-28 15:13:58 +0000 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2006-07-28 15:13:58 +0000 |
| commit | 46551033aa876d98b98f9442f8208ab069f18d28 (patch) | |
| tree | 7ee7b6344f9f46c1f566fbdf3643982add69baee /policy/global_tunables | |
| parent | 81aa67fcc02f04bb2e21d8692b3e20d2e75b5f4d (diff) | |
patch from dan Wed, 26 Jul 2006 14:42:46 -0400
Diffstat (limited to 'policy/global_tunables')
| -rw-r--r-- | policy/global_tunables | 75 |
1 files changed, 42 insertions, 33 deletions
diff --git a/policy/global_tunables b/policy/global_tunables index ec5cc933..0cb55b81 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -19,6 +19,14 @@ gen_tunable(allow_cvs_read_shadow,false) ## <desc> ## <p> +## Allow zebra daemon to write it configuration files +## </p> +## </desc> +# +gen_tunable(allow_zebra_write_config,false) + +## <desc> +## <p> ## Allow making the heap executable. ## </p> ## </desc> @@ -89,6 +97,13 @@ gen_tunable(allow_httpd_anon_write,false) ## <desc> ## <p> +## Allow Apache to use mod_auth_pam +## </p> +## </desc> +gen_tunable(allow_httpd_mod_auth_pam,false) + +## <desc> +## <p> ## Allow java executable stack ## </p> ## </desc> @@ -132,12 +147,6 @@ gen_tunable(allow_saslauthd_read_shadow,false) ## </desc> gen_tunable(allow_smbd_anon_write,false) -## <desc> -## <p> -## Allow sysadm to ptrace all processes -## </p> -## </desc> -gen_tunable(allow_ptrace,false) ## <desc> ## <p> @@ -290,13 +299,6 @@ gen_tunable(read_default_t,false) ## <desc> ## <p> -## Allow ssh to run from inetd instead of as a daemon. -## </p> -## </desc> -gen_tunable(run_ssh_inetd,false) - -## <desc> -## <p> ## Allow samba to export user home directories. ## </p> ## </desc> @@ -311,13 +313,6 @@ gen_tunable(samba_share_nfs,false) ## <desc> ## <p> -## Allow spamassassin to do DNS lookups -## </p> -## </desc> -gen_tunable(spamassasin_can_network,false) - -## <desc> -## <p> ## Allow squid to connect to all ports, not just ## HTTP, FTP, and Gopher ports. ## </p> @@ -326,13 +321,6 @@ gen_tunable(squid_connect_any,false) ## <desc> ## <p> -## Allow ssh logins as sysadm_r:sysadm_t -## </p> -## </desc> -gen_tunable(ssh_sysadm_login,false) - -## <desc> -## <p> ## Configure stunnel to be a standalone daemon or ## inetd service. ## </p> @@ -353,6 +341,12 @@ gen_tunable(use_nfs_home_dirs,false) ## </desc> gen_tunable(use_samba_home_dirs,false) +######################################## +# +# Strict policy specific +# + +ifdef(`strict_policy',` ## <desc> ## <p> ## Control users use of ping and traceroute @@ -360,12 +354,6 @@ gen_tunable(use_samba_home_dirs,false) ## </desc> gen_tunable(user_ping,false) -######################################## -# -# Strict policy specific -# - -ifdef(`strict_policy',` ## <desc> ## <p> ## Allow gpg executable stack @@ -382,6 +370,13 @@ gen_tunable(allow_mplayer_execstack,false) ## <desc> ## <p> +## Allow sysadm to ptrace all processes +## </p> +## </desc> +gen_tunable(allow_ptrace,false) + +## <desc> +## <p> ## allow host key based authentication ## </p> ## </desc> @@ -482,6 +477,13 @@ gen_tunable(read_untrusted_content,false) ## <desc> ## <p> +## Allow ssh to run from inetd instead of as a daemon. +## </p> +## </desc> +gen_tunable(run_ssh_inetd,false) + +## <desc> +## <p> ## Allow user spamassassin clients to use the network. ## </p> ## </desc> @@ -489,6 +491,13 @@ gen_tunable(spamassassin_can_network,false) ## <desc> ## <p> +## Allow ssh logins as sysadm_r:sysadm_t +## </p> +## </desc> +gen_tunable(ssh_sysadm_login,false) + +## <desc> +## <p> ## Allow staff_r users to search the sysadm home ## dir and read files (such as ~/.bashrc) ## </p> |