Blame strict/tunables/tunable.tun
|
Chris PeBenito |
0fbfa5 |
# Allow users to execute the mount command
|
|
Chris PeBenito |
0fbfa5 |
define(`user_can_mount')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow rpm to run unconfined.
|
|
Chris PeBenito |
0fbfa5 |
#define(`unlimitedRPM')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow privileged utilities like hotplug and insmod to run unconfined.
|
|
Chris PeBenito |
0fbfa5 |
#define(`unlimitedUtils')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow rc scripts to run unconfined, including any daemon
|
|
Chris PeBenito |
0fbfa5 |
# started by an rc script that does not have a domain transition
|
|
Chris PeBenito |
0fbfa5 |
# explicitly defined.
|
|
Chris PeBenito |
0fbfa5 |
#define(`unlimitedRC')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow sysadm_t to directly start daemons
|
|
Chris PeBenito |
0fbfa5 |
define(`direct_sysadm_daemon')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Do not audit things that we know to be broken but which
|
|
Chris PeBenito |
0fbfa5 |
# are not security risks
|
|
Chris PeBenito |
0fbfa5 |
define(`hide_broken_symptoms')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
|
|
Chris PeBenito |
0fbfa5 |
# Otherwise, only staff_r can do so.
|
|
Chris PeBenito |
0fbfa5 |
define(`user_canbe_sysadm')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow xinetd to run unconfined, including any services it starts
|
|
Chris PeBenito |
0fbfa5 |
# that do not have a domain transition explicitly defined.
|
|
Chris PeBenito |
0fbfa5 |
dnl define(`unlimitedInetd')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for ndc_t to be used for restart shell scripts
|
|
Chris PeBenito |
0fbfa5 |
dnl define(`ndc_shell_script')
|