From 89c62b6de44b52bb3b8fbada1159cf08c302e799 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 06 2012 13:21:32 +0000 Subject: Turn off all tunables by default, from Guido Trentalancia. --- diff --git a/mcelog.te b/mcelog.te index 6e44f91..807cc55 100644 --- a/mcelog.te +++ b/mcelog.te @@ -30,7 +30,7 @@ gen_tunable(mcelog_exec_scripts, true) ## print out usage and version information. ##

## -gen_tunable(mcelog_foreground, true) +gen_tunable(mcelog_foreground, false) ## ##

@@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false) ## syslog option. ##

## -gen_tunable(mcelog_syslog, true) +gen_tunable(mcelog_syslog, false) type mcelog_t; type mcelog_exec_t; diff --git a/qemu.te b/qemu.te index 9681d82..9c1eb51 100644 --- a/qemu.te +++ b/qemu.te @@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, false) ## Allow qemu to use cifs/Samba file systems ##

## -gen_tunable(qemu_use_cifs, true) +gen_tunable(qemu_use_cifs, false) ## ##

@@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false) ## Allow qemu to use nfs file systems ##

## -gen_tunable(qemu_use_nfs, true) +gen_tunable(qemu_use_nfs, false) ## ##

## Allow qemu to use usb devices ##

## -gen_tunable(qemu_use_usb, true) +gen_tunable(qemu_use_usb, false) type qemu_exec_t; virt_domain_template(qemu) diff --git a/rpc.te b/rpc.te index 330d01f..06e6bf0 100644 --- a/rpc.te +++ b/rpc.te @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow gssd to read temp directory. For access to kerberos tgt. ##

## -gen_tunable(allow_gssd_read_tmp, true) +gen_tunable(allow_gssd_read_tmp, false) ## ##

diff --git a/spamassassin.te b/spamassassin.te index 1bbf73b..694b269 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, false) ## Allow spamd to read/write user home directories. ##

## -gen_tunable(spamd_enable_home_dirs, true) +gen_tunable(spamd_enable_home_dirs, false) type spamassassin_t; type spamassassin_exec_t; diff --git a/virt.te b/virt.te index 947bbc6..9ef87b2 100644 --- a/virt.te +++ b/virt.te @@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, false) ## Allow virt to use usb devices ##

## -gen_tunable(virt_use_usb, true) +gen_tunable(virt_use_usb, false) virt_domain_template(svirt) role system_r types svirt_t; diff --git a/xen.te b/xen.te index 07033bb..89a2fe6 100644 --- a/xen.te +++ b/xen.te @@ -11,7 +11,7 @@ policy_module(xen, 1.12.0) ## Not required if using dedicated logical volumes for disk images. ##

## -gen_tunable(xend_run_blktap, true) +gen_tunable(xend_run_blktap, false) ## ##

@@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true) ## Not required if using paravirt and no vfb. ##

## -gen_tunable(xend_run_qemu, true) +gen_tunable(xend_run_qemu, false) ## ##

diff --git a/xguest.te b/xguest.te index e88b95f..eb10cab 100644 --- a/xguest.te +++ b/xguest.te @@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0) ## Allow xguest users to mount removable media ##

## -gen_tunable(xguest_mount_media, true) +gen_tunable(xguest_mount_media, false) ## ##

## Allow xguest to configure Network Manager ##

## -gen_tunable(xguest_connect_network, true) +gen_tunable(xguest_connect_network, false) ## ##

## Allow xguest to use blue tooth devices ##

## -gen_tunable(xguest_use_bluetooth, true) +gen_tunable(xguest_use_bluetooth, false) role xguest_r;