[selinux-policy: 1873/3172] trunk: Improve several tunables descriptions from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:46:58 UTC 2010
commit dd9e1de35e778c3f2cbd357031611d883c14ff75
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Dec 7 15:44:53 2007 +0000
trunk: Improve several tunables descriptions from Dan Walsh.
Changelog | 1 +
policy/global_tunables | 15 ++++++---------
policy/modules/services/apache.te | 15 +++++++++------
policy/modules/services/bind.te | 2 +-
policy/modules/services/ftp.te | 5 +++--
policy/modules/services/kerberos.te | 2 +-
policy/modules/services/rpc.te | 5 +++--
policy/modules/services/rsync.te | 5 +++--
policy/modules/services/samba.te | 14 ++++++++------
policy/modules/system/mount.te | 2 +-
policy/modules/system/userdomain.te | 2 +-
11 files changed, 37 insertions(+), 31 deletions(-)
---
diff --git a/Changelog b/Changelog
index fb936e2..a892416 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Improve several tunables descriptions from Dan Walsh.
- Patch to clean up ns switch usage in the policy from Dan Walsh.
- More complete labeled networking infrastructure from KaiGai Kohei.
- Add interface for libselinux constructor, for libselinux-linked
diff --git a/policy/global_tunables b/policy/global_tunables
index 7a1d85d..ee3e484 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,31 +6,28 @@
## <desc>
## <p>
-## Allow making the heap executable.
+## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execheap,false)
## <desc>
## <p>
-## Allow making anonymous memory executable, e.g.
-## for runtime-code generation or executable stack.
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
## </p>
## </desc>
gen_tunable(allow_execmem,false)
## <desc>
## <p>
-## Allow making a modified private file
-## mapping executable (text relocation).
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
## </p>
## </desc>
gen_tunable(allow_execmod,false)
## <desc>
## <p>
-## Allow making the stack executable via mprotect.
-## Also requires allow_execmem.
+## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
## </p>
## </desc>
gen_tunable(allow_execstack,false)
@@ -73,14 +70,14 @@ gen_tunable(mail_read_content,false)
## <desc>
## <p>
-## Allow nfs to be exported read/write.
+## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_rw,false)
## <desc>
## <p>
-## Allow nfs to be exported read only
+## Allow any files/directories to be exported read/only via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_ro,false)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 5a2acaf..6876229 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -23,7 +23,8 @@ policy_module(apache,1.8.4)
## <desc>
## <p>
## Allow Apache to modify public files
-## used for public file transfer services.
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_httpd_anon_write,false)
@@ -44,14 +45,14 @@ gen_tunable(httpd_builtin_scripting,false)
## <desc>
## <p>
-## Allow http daemon to tcp connect
+## Allow HTTPD scripts and modules to connect to the network using TCP.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect,false)
## <desc>
## <p>
-## Allow httpd to connect to mysql/posgresql
+## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
@@ -87,21 +88,23 @@ gen_tunable(httpd_enable_homedirs,false)
## <desc>
## <p>
-## Run SSI execs in system CGI script domain.
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
gen_tunable(httpd_ssi_exec,false)
## <desc>
## <p>
-## Allow http daemon to communicate with the TTY
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
## </p>
## </desc>
gen_tunable(httpd_tty_comm,false)
## <desc>
## <p>
-## Run CGI in the main httpd domain
+## Unify HTTPD handling of all content files.
## </p>
## </desc>
gen_tunable(httpd_unified,false)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index bed8859..83ef603 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -9,7 +9,7 @@ policy_module(bind,1.5.2)
## <desc>
## <p>
## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS.
+## Generally this is used for dynamic DNS or zone transfers.
## </p>
## </desc>
gen_tunable(named_write_master_zones,false)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index c264778..a8757c0 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -8,8 +8,9 @@ policy_module(ftp,1.6.1)
## <desc>
## <p>
-## Allow ftp servers to modify public files
-## used for public file transfer services.
+## Allow ftp servers to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write,false)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 996cd0e..bfb6773 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -8,7 +8,7 @@ policy_module(kerberos,1.5.1)
## <desc>
## <p>
-## Allow system to run with kerberos
+## Allow confined applications to run with kerberos.
## </p>
## </desc>
gen_tunable(allow_kerberos,false)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index d9cf3f2..cc548df 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -8,7 +8,7 @@ policy_module(rpc,1.6.2)
## <desc>
## <p>
-## Allow gssd to read temp directory.
+## Allow gssd to read temp directory. For access to kerberos tgt.
## </p>
## </desc>
gen_tunable(allow_gssd_read_tmp,true)
@@ -16,7 +16,8 @@ gen_tunable(allow_gssd_read_tmp,true)
## <desc>
## <p>
## Allow nfs servers to modify public files
-## used for public file transfer services.
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_nfsd_anon_write,false)
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 58d9fa8..3613947 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -8,7 +8,7 @@ policy_module(rsync,1.5.3)
## <desc>
## <p>
-## Allow rsync export files read only
+## Allow rsync to export any files/directories read only.
## </p>
## </desc>
gen_tunable(rsync_export_all_ro,false)
@@ -16,7 +16,8 @@ gen_tunable(rsync_export_all_ro,false)
## <desc>
## <p>
## Allow rsync to modify public files
-## used for public file transfer services.
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_rsync_anon_write,false)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 38c6b4d..2a1f458 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -8,15 +8,17 @@ policy_module(samba,1.6.4)
## <desc>
## <p>
-## Allow samba to modify public files
-## used for public file transfer services.
+## Allow samba to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_smbd_anon_write,false)
## <desc>
## <p>
-## Allow samba to run as the domain controller; add machines to passwd file
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
##
## </p>
## </desc>
@@ -24,21 +26,21 @@ gen_tunable(samba_domain_controller,false)
## <desc>
## <p>
-## Allow samba to export user home directories.
+## Allow samba to share users home directories.
## </p>
## </desc>
gen_tunable(samba_enable_home_dirs,false)
## <desc>
## <p>
-## Export all files on system read only.
+## Allow samba to share any file/directory read only.
## </p>
## </desc>
gen_tunable(samba_export_all_ro,false)
## <desc>
## <p>
-## Export all files on system read-write.
+## Allow samba to share any file/directory read/write.
## </p>
## </desc>
gen_tunable(samba_export_all_rw,false)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 86d0ad7..42a1687 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -8,7 +8,7 @@ policy_module(mount,1.8.2)
## <desc>
## <p>
-## Allow mount to mount any file
+## Allow the mount command to mount any directory or file.
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index cf9b454..1ad9ecd 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -17,7 +17,7 @@ gen_require(`
## <desc>
## <p>
-## Allow sysadm to ptrace all processes
+## Allow sysadm to debug or ptrace all processes.
## </p>
## </desc>
gen_tunable(allow_ptrace,false)
More information about the scm-commits
mailing list