[selinux-policy/f18] Simplify booleans defaults files and fix renamed booleans

Daniel J Walsh dwalsh at fedoraproject.org
Wed Sep 26 18:51:40 UTC 2012 

commit b6b45f99d2571de84ce81b32fa58875c4897617c
Author: rhatdan <dwalsh at redhat.com>
Date:   Wed Sep 26 14:51:05 2012 -0400

    Simplify booleans defaults files and fix renamed booleans

 booleans-mls.conf      |  235 +-------------------------------------
 booleans-targeted.conf |  298 +++---------------------------------------------
 2 files changed, 20 insertions(+), 513 deletions(-)
---
diff --git a/booleans-mls.conf b/booleans-mls.conf
index 2a24df1..65ccfa4 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -1,233 +1,6 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-allow_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-allow_execstack = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-allow_gssd_read_tmp = false
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-allow_saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Deny all processes the ability to ptrace other processes
-# 
-deny_ptrace = true
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-# Allow ftp to read and write files in the user home directories
-# 
-ftp_home_dir = false
-
-# Allow ftpd to run directly without inetd
-# 
+kerberos_enabled = true
+mount_anyfile = true
+polyinstantiation_enabled = true
 ftpd_is_daemon = true
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = false
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = false
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = false
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = false
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow ssh to run from inetd instead of as a daemon.
-# 
-run_ssh_inetd = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Allow ssh logins as sysadm_r:sysadm_t
-# 
-ssh_sysadm_login = false
-
-# Configure stunnel to be a standalone daemon orinetd service.
-# 
-stunnel_is_daemon = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = false
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = true
-
-# Allow gpg executable stack
-# 
-allow_gpg_execstack = false
-
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-# Allow users to connect to mysql
-# 
-allow_user_mysql_connect = false
-
-# Allow system cron jobs to relabel filesystemfor restoring file contexts.
-# 
-cron_can_relabel = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-# 
-read_untrusted_content = false
-
-# Allow user spamassassin clients to use the network.
-# 
-spamassassin_can_network = false
-
-# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
-# 
-staff_read_sysadm_file = false
-
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-# Allow users to control network interfaces(also needs USERCTL=true)
-# 
-user_net_control = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-# Allow users to rw usb devices
-# 
-user_rw_usb = false
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-# 
-write_untrusted_content = false
-
-spamd_enable_home_dirs = false
-
-# Allow login domains to polyinstatiate directories
-# 
-allow_polyinstantiation = true
-
-# Allow mount command to mounton any directory
-# 
-allow_mounton_anydir = true
-
-# Allow unlabeled packets to flow
-# 
-allow_unlabeled_packets = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Run the xserver as an object manager
-# 
+selinuxuser_ping = true
 xserver_object_manager = true
-
-# System uses init upstart program
-# 
-init_upstart = true
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 399b676..3b1151f 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,290 +1,24 @@
-# Turn off the ability for one process to read/modify another processes memory
-deny_ptrace = false
-
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-deny_execmem = false
-selinuxuser_execmem = true
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-selinuxuser_execmod = true
-
-# Allow making the stack executable via mprotect.Also requires selinuxuser_execmem.
-# 
-selinuxuser_execstack = true
-
-# Allow ftpd to read cifs directories.
-# 
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
 gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-httpd_anon_write = false
-
-# Allow Apache to connect to port 80 for graceful shutdown
-# 
-httpd_graceful_shutdown = true
-
-# Allow Apache to use mod_auth_pam module
-# 
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-kerberos_enabled = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-nis_enabled = false
-
-# Allow zebra to write it own configuration files
-# 
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-# Allow ftp to read and write files in the user home directories
-# 
-ftp_home_dir = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = false
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
 httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
 httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
+httpd_graceful_shutdown = true
+kerberos_enabled = true
+mount_anyfile = true
 nfs_export_all_ro = true
-
-## Allow openvpn to read home directories
-## 
+nfs_export_all_rw = true
+nscd_use_shm = true
 openvpn_enable_homedirs = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
+postfix_local_write_mail_spool=true
 pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = true
-
-# Allow privoxy to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
 privoxy_connect_any = true
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = false
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-# 
-read_untrusted_content = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-# Allow all X apps to use /dev/dri
-# 
-user_direct_dri = true
-
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-# 
-write_untrusted_content = false
-
-# Allow all domains to talk to ttys
-# 
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-# 
-daemons_dump_core = false
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-xserver_execmem = false
-
-# xguest now requires to execute content in homedir to allow gnome-shell to work# properly.
-xguest_exec_content = true
-
-# Only allow browser to use the web
-# 
-browser_confine_xguest=false
-
-# Allow postfix locat to write to mail spool
-# 
-postfix_local_write_mail_spool=true
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile=true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network=true
-
-# Allow unconfined domain to transition to confined domain
-# 
-unconfined_mozilla_plugin_transition=true
-
-# Allow unconfined domain to transition to confined domain
-# 
-unconfined_telepathy_transition=false
-
-# Allow unconfined domain to transition to chrome_sandbox confined domain
-# 
-unconfined_chrome_sandbox_transition=true
-
-# Allow telepathy domains to connect to all network ports
-# 
+selinuxuser_direct_dri_enabled = true
+selinuxuser_execmem = true
+selinuxuser_execmod = true
+selinuxuser_execstack = true
+selinuxuser_rw_noexattrfile=true
+selinuxuser_ping = true
+squid_connect_any = true
 telepathy_tcp_connect_generic_network_ports=true
-
-# System uses init upstart program
-# 
-init_upstart = true
-init_systemd = true
-
-# Allow mount to mount any file/dir
-# 
-mount_anyfile = true
-
-# Allow confined domains to communicate with ncsd via shared memory
-# 
-nscd_use_shm = true
-
-# Allow fenced domain to connect to the network using TCP.
-#
-fenced_can_network_connect=false
-
-## On upgrades we want this true, Want it false on fresh installs
-#
-authlogin_nsswitch_use_ldap=false
+unconfined_chrome_sandbox_transition=true
+unconfined_mozilla_plugin_transition=true
+xguest_exec_content = true

More information about the scm-commits mailing list