selinux-policy/booleans-targeted.conf

#
# Disable kernel module loading.
# 
secure_mode_insmod = false

#
# Boolean to determine whether the system permits loading policy, setting
# enforcing mode, and changing boolean values.  Set this to true and you
# have to reboot to set it back.
# 
secure_mode_policyload = false

#
# Enabling secure mode disallows programs, such as
# newrole, from transitioning to administrative
# user domains.
# 
secure_mode = false

#
# Grant the firstboot domains read access to generic user content
# 
firstboot_read_generic_user_content = true

#
# Grant the firstboot domains read access to all user content
# 
firstboot_read_all_user_content = false

#
# Grant the firstboot domains manage rights on generic user content
# 
firstboot_manage_generic_user_content = false

#
# Grant the firstboot domains manage rights on all user content
# 
firstboot_manage_all_user_content = false

#
# Determine whether logwatch can connect
# to mail over the network.
# 
logwatch_can_network_connect_mail = false

#
# Determine whether mcelog supports
# client mode.
# 
mcelog_client = false

#
# Determine whether mcelog can execute scripts.
# 
mcelog_exec_scripts = true

#
# Determine whether mcelog can use all
# the user ttys.
# 
mcelog_foreground = false

#
# Determine whether mcelog supports
# server mode.
# 
mcelog_server = false

#
# Determine whether mcelog can use syslog.
# 
mcelog_syslog = false

#
# Control users use of ping and traceroute
# 
user_ping = false

#
# Determine whether portage can
# use nfs filesystems.
# 
portage_use_nfs = false

#
# Determine whether puppet can
# manage all non-security files.
# 
puppet_manage_all_files = false

#
# Determine whether rkhunter can connect
# to http ports. This is required by the
# --update option.
# 
rkhunter_connect_http = false

#
# Determine whether attempts by
# vbetool to mmap low regions should
# be silently blocked.
# 
vbetool_mmap_zero_ignore = false

#
# Determine whether awstats can
# purge httpd log files.
# 
awstats_purge_apache_log_files = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_awstats_script_anon_write = false

#
# Determine whether cdrecord can read
# various content. nfs, samba, removable
# devices, user temp and untrusted
# content files
# 
cdrecord_read_content = false

#
# Allow evolution to create and write
# user certificates in addition to
# being able to read them
# 
evolution_manage_user_certs = false

#
# Grant the evolution domains read access to generic user content
# 
evolution_read_generic_user_content = true

#
# Grant the evolution domains read access to all user content
# 
evolution_read_all_user_content = false

#
# Grant the evolution domains manage rights on generic user content
# 
evolution_manage_generic_user_content = false

#
# Grant the evolution domains manage rights on all user content
# 
evolution_manage_all_user_content = false

#
# Determine whether Gitosis can send mail.
# 
gitosis_can_sendmail = false

#
# Determine whether GPG agent can manage
# generic user home content files. This is
# required by the --write-env-file option.
# 
gpg_agent_env_file = false

#
# Determine whether GPG agent can use OpenPGP
# cards or Yubikeys over USB
# 
gpg_agent_use_card = false

#
# Grant the gpg domains read access to generic user content
# 
gpg_read_generic_user_content = true

#
# Grant the gpg domains read access to all user content
# 
gpg_read_all_user_content = false

#
# Grant the gpg domains manage rights on generic user content
# 
gpg_manage_generic_user_content = false

#
# Grant the gpg domains manage rights on all user content
# 
gpg_manage_all_user_content = false

#
# Determine whether irc clients can
# listen on and connect to any
# unreserved TCP ports.
# 
irc_use_any_tcp_ports = false

#
# Grant the irc domains read access to generic user content
# 
irc_read_generic_user_content = true

#
# Grant the irc domains read access to all user content
# 
irc_read_all_user_content = false

#
# Grant the irc domains manage rights on generic user content
# 
irc_manage_generic_user_content = false

#
# Grant the irc domains manage rights on all user content
# 
irc_manage_all_user_content = false

#
# Determine whether java can make
# its stack executable.
# 
allow_java_execstack = false

#
# Grant the java domains read access to generic user content
# 
java_read_generic_user_content = true

#
# Grant the java domains read access to all user content
# 
java_read_all_user_content = false

#
# Grant the java domains manage rights on generic user content
# 
java_manage_generic_user_content = false

#
# Grant the java domains manage rights on all user content
# 
java_manage_all_user_content = false

#
# Determine whether libmtp can read
# and manage the user home directories
# and files.
# 
libmtp_enable_home_dirs = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_lightsquid_script_anon_write = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_man2html_script_anon_write = false

#
# Determine whether mozilla can
# make its stack executable.
# 
mozilla_execstack = false

#
# Grant the mozilla domains read access to generic user content
# 
mozilla_read_generic_user_content = true

#
# Grant the mozilla domains read access to all user content
# 
mozilla_read_all_user_content = false

#
# Grant the mozilla domains manage rights on generic user content
# 
mozilla_manage_generic_user_content = false

#
# Grant the mozilla domains manage rights on all user content
# 
mozilla_manage_all_user_content = false

#
# Determine whether mplayer can make
# its stack executable.
# 
allow_mplayer_execstack = false

#
# Grant the mplayer_mencoder domains read access to generic user content
# 
mplayer_mencoder_read_generic_user_content = true

#
# Grant the mplayer_mencoder domains read access to all user content
# 
mplayer_mencoder_read_all_user_content = false

#
# Grant the mplayer_mencoder domains manage rights on generic user content
# 
mplayer_mencoder_manage_generic_user_content = false

#
# Grant the mplayer_mencoder domains manage rights on all user content
# 
mplayer_mencoder_manage_all_user_content = false

#
# Grant the mplayer domains read access to generic user content
# 
mplayer_read_generic_user_content = true

#
# Grant the mplayer domains read access to all user content
# 
mplayer_read_all_user_content = false

#
# Grant the mplayer domains manage rights on generic user content
# 
mplayer_manage_generic_user_content = false

#
# Grant the mplayer domains manage rights on all user content
# 
mplayer_manage_all_user_content = false

#
# Determine whether openoffice can
# download software updates from the
# network (application and/or
# extensions).
# 
openoffice_allow_update = true

#
# Determine whether openoffice writer
# can send emails directly (print to
# email). This is different from the
# functionality of sending emails
# through external clients which is
# always enabled.
# 
openoffice_allow_email = false

#
# Grant the openoffice domains read access to generic user content
# 
openoffice_read_generic_user_content = true

#
# Grant the openoffice domains read access to all user content
# 
openoffice_read_all_user_content = false

#
# Grant the openoffice domains manage rights on generic user content
# 
openoffice_manage_generic_user_content = false

#
# Grant the openoffice domains manage rights on all user content
# 
openoffice_manage_all_user_content = false

#
# Allow pulseaudio to execute code in
# writable memory
# 
pulseaudio_execmem = false

#
# Determine whether qemu has full
# access to the network.
# 
qemu_full_network = false

#
# Grant the syncthing domains read access to generic user content
# 
syncthing_read_generic_user_content = true

#
# Grant the syncthing domains read access to all user content
# 
syncthing_read_all_user_content = false

#
# Grant the syncthing domains manage rights on generic user content
# 
syncthing_manage_generic_user_content = false

#
# Grant the syncthing domains manage rights on all user content
# 
syncthing_manage_all_user_content = false

#
# Determine whether telepathy connection
# managers can connect to generic tcp ports.
# 
telepathy_tcp_connect_generic_network_ports = false

#
# Determine whether telepathy connection
# managers can connect to any port.
# 
telepathy_connect_all_ports = false

#
# Grant the thunderbird domains read access to generic user content
# 
thunderbird_read_generic_user_content = true

#
# Grant the thunderbird domains read access to all user content
# 
thunderbird_read_all_user_content = false

#
# Grant the thunderbird domains manage rights on generic user content
# 
thunderbird_manage_generic_user_content = false

#
# Grant the thunderbird domains manage rights on all user content
# 
thunderbird_manage_all_user_content = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_webalizer_script_anon_write = false

#
# Determine whether attempts by
# wine to mmap low regions should
# be silently blocked.
# 
wine_mmap_zero_ignore = false

#
# Grant the wireshark domains read access to generic user content
# 
wireshark_read_generic_user_content = true

#
# Grant the wireshark domains read access to all user content
# 
wireshark_read_all_user_content = false

#
# Grant the wireshark domains manage rights on generic user content
# 
wireshark_manage_generic_user_content = false

#
# Grant the wireshark domains manage rights on all user content
# 
wireshark_manage_all_user_content = false

#
# Grant the xscreensaver domains read access to generic user content
# 
xscreensaver_read_generic_user_content = true

#
# Control the ability to mmap a low area of the address space,
# as configured by /proc/sys/kernel/mmap_min_addr.
# 
mmap_low_allowed = false

#
# Determine whether dbadm can manage
# generic user files.
# 
dbadm_manage_user_files = false

#
# Determine whether dbadm can read
# generic user files.
# 
dbadm_read_user_files = false

#
# Allow sysadm to debug or ptrace all processes.
# 
allow_ptrace = false

#
# Determine whether webadm can
# manage generic user files.
# 
webadm_manage_user_files = false

#
# Determine whether webadm can
# read generic user files.
# 
webadm_read_user_files = false

#
# Determine whether xguest can
# mount removable media.
# 
xguest_mount_media = false

#
# Determine whether xguest can
# configure network manager.
# 
xguest_connect_network = false

#
# Determine whether xguest can
# use blue tooth devices.
# 
xguest_use_bluetooth = false

#
# Determine whether ABRT can modify
# public files used for public file
# transfer services.
# 
abrt_anon_write = false

#
# Determine whether abrt-handle-upload
# can modify public files used for public file
# transfer services in /var/spool/abrt-upload/.
# 
abrt_upload_watch_anon_write = true

#
# Determine whether ABRT can run in
# the abrt_handle_event_t domain to
# handle ABRT event scripts.
# 
abrt_handle_event = false

#
# Determine whether amavis can
# use JIT compiler.
# 
amavis_use_jit = false

#
# Determine whether httpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_anon_write = false

#
# Determine whether httpd can use mod_auth_pam.
# 
allow_httpd_mod_auth_pam = false

#
# Determine whether httpd can use built in scripting.
# 
httpd_builtin_scripting = false

#
# Determine whether httpd can check spam.
# 
httpd_can_check_spam = false

#
# Determine whether httpd scripts and modules
# can connect to the network using TCP.
# 
httpd_can_network_connect = false

#
# Determine whether httpd scripts and modules
# can connect to cobbler over the network.
# 
httpd_can_network_connect_cobbler = false

#
# Determine whether scripts and modules can
# connect to databases over the network.
# 
httpd_can_network_connect_db = false

#
# Determine whether httpd can connect to
# ldap over the network.
# 
httpd_can_network_connect_ldap = false

#
# Determine whether httpd can connect
# to memcache server over the network.
# 
httpd_can_network_connect_memcache = false

#
# Determine whether httpd can act as a relay.
# 
httpd_can_network_relay = false

#
# Determine whether httpd daemon can
# connect to zabbix over the network.
# 
httpd_can_network_connect_zabbix = false

#
# Determine whether httpd can send mail.
# 
httpd_can_sendmail = false

#
# Determine whether httpd can communicate
# with avahi service via dbus.
# 
httpd_dbus_avahi = false

#
# Determine wether httpd can use support.
# 
httpd_enable_cgi = false

#
# Determine whether httpd can act as a
# FTP server by listening on the ftp port.
# 
httpd_enable_ftp_server = false

#
# Determine whether httpd can traverse
# user home directories.
# 
httpd_enable_homedirs = false

#
# Determine whether httpd gpg can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
httpd_gpg_anon_write = false

#
# Determine whether httpd can execute
# its temporary content.
# 
httpd_tmp_exec = false

#
# Determine whether httpd scripts and
# modules can use execmem and execstack.
# 
httpd_execmem = false

#
# Determine whether httpd can connect
# to port 80 for graceful shutdown.
# 
httpd_graceful_shutdown = false

#
# Determine whether httpd can
# manage IPA content files.
# 
httpd_manage_ipa = false

#
# Determine whether httpd can use mod_auth_ntlm_winbind.
# 
httpd_mod_auth_ntlm_winbind = false

#
# Determine whether httpd can read
# generic user home content files.
# 
httpd_read_user_content = false

#
# Determine whether httpd can change
# its resource limits.
# 
httpd_setrlimit = false

#
# Determine whether httpd can run
# SSI executables in the same domain
# as system CGI scripts.
# 
httpd_ssi_exec = false

#
# Determine whether httpd can communicate
# with the terminal. Needed for entering the
# passphrase for certificates at the terminal.
# 
httpd_tty_comm = false

#
# Determine whether httpd can have full access
# to its content types.
# 
httpd_unified = false

#
# Determine whether httpd can use
# cifs file systems.
# 
httpd_use_cifs = false

#
# Determine whether httpd can
# use fuse file systems.
# 
httpd_use_fusefs = false

#
# Determine whether httpd can use gpg.
# 
httpd_use_gpg = false

#
# Determine whether httpd can use
# nfs file systems.
# 
httpd_use_nfs = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_sys_script_anon_write = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_user_script_anon_write = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_unconfined_script_anon_write = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_apcupsd_cgi_script_anon_write = false

#
# Determine whether Bind can bind tcp socket to http ports.
# 
named_tcp_bind_http_port = false

#
# Determine whether Bind can write to master zone files.
# Generally this is used for dynamic DNS or zone transfers.
# 
named_write_master_zones = false

#
# Determine whether boinc can execmem/execstack.
# 
boinc_execmem = true

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_bugzilla_script_anon_write = false

#
# Determine whether clamscan can
# read user content files.
# 
clamav_read_user_content_files_clamscan = false

#
# Determine whether clamscan can read
# all non-security files.
# 
clamav_read_all_non_security_files_clamscan = false

#
# Determine whether can clamd use JIT compiler.
# 
clamd_use_jit = false

#
# Determine whether Cobbler can modify
# public files used for public file
# transfer services.
# 
cobbler_anon_write = false

#
# Determine whether Cobbler can connect
# to the network using TCP.
# 
cobbler_can_network_connect = false

#
# Determine whether Cobbler can access
# cifs file systems.
# 
cobbler_use_cifs = false

#
# Determine whether Cobbler can access
# nfs file systems.
# 
cobbler_use_nfs = false

#
# Determine whether collectd can connect
# to the network using TCP.
# 
collectd_tcp_network_connect = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_collectd_script_anon_write = false

#
# Determine whether Condor can connect
# to the network using TCP.
# 
condor_tcp_network_connect = false

#
# Determine whether system cron jobs
# can relabel filesystem for
# restoring file contexts.
# 
cron_can_relabel = false

#
# Determine whether crond can execute jobs
# in the user domain as opposed to the
# the generic cronjob domain.
# 
cron_userdomain_transition = false

#
# Determine whether extra rules
# should be enabled to support fcron.
# 
fcron_crond = false

#
# Grant the cron domains read access to generic user content
# 
cron_read_generic_user_content = true

#
# Grant the cron domains read access to all user content
# 
cron_read_all_user_content = false

#
# Grant the cron domains manage rights on generic user content
# 
cron_manage_generic_user_content = false

#
# Grant the cron domains manage rights on all user content
# 
cron_manage_all_user_content = false

#
# Determine whether cvs can read shadow
# password files.
# 
allow_cvs_read_shadow = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_cvs_script_anon_write = false

#
# Determine whether DHCP daemon
# can use LDAP backends.
# 
dhcpd_use_ldap = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_dspam_script_anon_write = false

#
# Determine whether entropyd can use
# audio devices as the source for
# the entropy feeds.
# 
entropyd_use_audio = false

#
# Determine whether exim can connect to
# databases.
# 
exim_can_connect_db = false

#
# Determine whether exim can read generic
# user content files.
# 
exim_read_user_files = false

#
# Determine whether exim can create,
# read, write, and delete generic user
# content files.
# 
exim_manage_user_files = false

#
# Determine whether ftpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_ftpd_anon_write = false

#
# Determine whether ftpd can login to
# local users and can read and write
# all files on the system, governed by DAC.
# 
allow_ftpd_full_access = false

#
# Determine whether ftpd can use CIFS
# used for public file transfer services.
# 
allow_ftpd_use_cifs = false

#
# Determine whether ftpd can use NFS
# used for public file transfer services.
# 
allow_ftpd_use_nfs = false

#
# Determine whether ftpd can connect to
# databases over the TCP network.
# 
ftpd_connect_db = false

#
# Determine whether ftpd can bind to all
# unreserved ports for passive mode.
# 
ftpd_use_passive_mode = false

#
# Determine whether ftpd can connect to
# all unreserved ports.
# 
ftpd_connect_all_unreserved = false

#
# Determine whether ftpd can read and write
# files in user home directories.
# 
ftp_home_dir = false

#
# Determine whether sftpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
sftpd_anon_write = false

#
# Determine whether sftpd-can read and write
# files in user home directories.
# 
sftpd_enable_homedirs = false

#
# Determine whether sftpd-can login to
# local users and read and write all
# files on the system, governed by DAC.
# 
sftpd_full_access = false

#
# Determine whether sftpd can read and write
# files in user ssh home directories.
# 
sftpd_write_ssh_home = false

#
# Determine whether Git CGI
# can search home directories.
# 
git_cgi_enable_homedirs = false

#
# Determine whether Git CGI
# can access cifs file systems.
# 
git_cgi_use_cifs = false

#
# Determine whether Git CGI
# can access nfs file systems.
# 
git_cgi_use_nfs = false

#
# Determine whether Git session daemon
# can bind TCP sockets to all
# unreserved ports.
# 
git_session_bind_all_unreserved_ports = false

#
# Determine whether calling user domains
# can execute Git daemon in the
# git_session_t domain.
# 
git_session_users = false

#
# Determine whether Git session daemons
# can send syslog messages.
# 
git_session_send_syslog_msg = false

#
# Determine whether Git system daemon
# can search home directories.
# 
git_system_enable_homedirs = false

#
# Determine whether Git system daemon
# can access cifs file systems.
# 
git_system_use_cifs = false

#
# Determine whether Git system daemon
# can access nfs file systems.
# 
git_system_use_nfs = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_git_script_anon_write = false

#
# Grant the i18n_input domains read access to generic user content
# 
i18n_input_read_generic_user_content = true

#
# Determine whether icecast can listen
# on and connect to any TCP port.
# 
icecast_use_any_tcp_ports = false

#
# Determine whether kerberos is supported.
# 
allow_kerberos = false

#
# Determine whether to support lpd server.
# 
use_lpd_server = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_mediawiki_script_anon_write = false

#
# Determine whether minidlna can read generic user content.
# 
minidlna_read_generic_user_content = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_mojomojo_script_anon_write = false

#
# Allow monit to start/stop services
# 
monit_startstop_services = false

#
# Determine whether mpd can traverse
# user home directories.
# 
mpd_enable_homedirs = false

#
# Determine whether mpd can use
# cifs file systems.
# 
mpd_use_cifs = false

#
# Determine whether mpd can use
# nfs file systems.
# 
mpd_use_nfs = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_munin_script_anon_write = false

#
# Determine whether mysqld can
# connect to all TCP ports.
# 
mysql_connect_any = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_nagios_script_anon_write = false

#
# Determine whether confined applications
# can use nscd shared memory.
# 
nscd_use_shm = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_nutups_cgi_script_anon_write = false

#
# Determine whether openvpn can
# read generic user home content files.
# 
openvpn_enable_homedirs = false

#
# Determine whether openvpn can
# connect to the TCP network.
# 
openvpn_can_network_connect = false

#
# Determine whether Polipo system
# daemon can access CIFS file systems.
# 
polipo_system_use_cifs = false

#
# Determine whether Polipo system
# daemon can access NFS file systems.
# 
polipo_system_use_nfs = false

#
# Determine whether calling user domains
# can execute Polipo daemon in the
# polipo_session_t domain.
# 
polipo_session_users = false

#
# Determine whether Polipo session daemon
# can send syslog messages.
# 
polipo_session_send_syslog_msg = false

#
# Determine whether postfix local
# can manage mail spool content.
# 
postfix_local_write_mail_spool = true

#
# Grant the postfix domains read access to generic user content
# 
postfix_read_generic_user_content = true

#
# Grant the postfix domains read access to all user content
# 
postfix_read_all_user_content = false

#
# Grant the postfix domains manage rights on generic user content
# 
postfix_manage_generic_user_content = false

#
# Grant the postfix domains manage rights on all user content
# 
postfix_manage_all_user_content = false

#
# Allow unprived users to execute DDL statement
# 
sepgsql_enable_users_ddl = false

#
# Allow transmit client label to foreign database
# 
sepgsql_transmit_client_label = false

#
# Allow database admins to execute DML statement
# 
sepgsql_unconfined_dbadm = false

#
# Determine whether pppd can
# load kernel modules.
# 
pppd_can_insmod = false

#
# Determine whether common users can
# run pppd with a domain transition.
# 
pppd_for_user = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_prewikka_script_anon_write = false

#
# Determine whether privoxy can
# connect to all tcp ports.
# 
privoxy_connect_any = false

#
# Determine whether rgmanager can
# connect to the network using TCP.
# 
rgmanager_can_network_connect = false

#
# Determine whether fenced can
# connect to the TCP network.
# 
fenced_can_network_connect = false

#
# Determine whether fenced can use ssh.
# 
fenced_can_ssh = false

#
# Determine whether gssd can read
# generic user temporary content.
# 
allow_gssd_read_tmp = false

#
# Determine whether gssd can write
# generic user temporary content.
# 
allow_gssd_write_tmp = false

#
# Determine whether nfs can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_nfsd_anon_write = false

#
# Determine whether rsync can use
# cifs file systems.
# 
rsync_use_cifs = false

#
# Determine whether rsync can
# use fuse file systems.
# 
rsync_use_fusefs = false

#
# Determine whether rsync can use
# nfs file systems.
# 
rsync_use_nfs = false

#
# Determine whether rsync can
# run as a client
# 
rsync_client = false

#
# Determine whether rsync can
# export all content read only.
# 
rsync_export_all_ro = false

#
# Determine whether rsync can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_rsync_anon_write = false

#
# Determine whether smbd_t can
# read shadow files.
# 
samba_read_shadow = false

#
# Determine whether samba can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_smbd_anon_write = false

#
# Determine whether samba can
# create home directories via pam.
# 
samba_create_home_dirs = false

#
# Determine whether samba can act as the
# domain controller, add users, groups
# and change passwords.
# 
samba_domain_controller = false

#
# Determine whether samba can
# act as a portmapper.
# 
samba_portmapper = false

#
# Determine whether samba can share
# users home directories.
# 
samba_enable_home_dirs = false

#
# Determine whether samba can share
# any content read only.
# 
samba_export_all_ro = false

#
# Determine whether samba can share any
# content readable and writable.
# 
samba_export_all_rw = false

#
# Determine whether samba can
# run unconfined scripts.
# 
samba_run_unconfined = false

#
# Determine whether samba can
# use nfs file systems.
# 
samba_share_nfs = false

#
# Determine whether samba can
# use fuse file systems.
# 
samba_share_fusefs = false

#
# Determine whether sanlock can use
# nfs file systems.
# 
sanlock_use_nfs = false

#
# Determine whether sanlock can use
# cifs file systems.
# 
sanlock_use_samba = false

#
# Determine whether sasl can
# read shadow files.
# 
allow_saslauthd_read_shadow = false

#
# Determine whether smartmon can support
# devices on 3ware controllers.
# 
smartmon_3ware = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_smokeping_cgi_script_anon_write = false

#
# Determine whether spamassassin
# clients can use the network.
# 
spamassassin_can_network = false

#
# Determine whether spamd can manage
# generic user home content.
# 
spamd_enable_home_dirs = false

#
# Determine whether squid can
# connect to all TCP ports.
# 
squid_connect_any = false

#
# Determine whether squid can run
# as a transparent proxy.
# 
squid_use_tproxy = false

#
# Determine whether squid can use the
# pinger daemon (needs raw net access)
# 
squid_use_pinger = true

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_squid_script_anon_write = false

#
# allow host key based authentication
# 
allow_ssh_keysign = false

#
# Allow ssh logins as sysadm_r:sysadm_t
# 
ssh_sysadm_login = false

#
# Allow ssh to use gpg-agent
# 
ssh_use_gpg_agent = false

#
# Determine whether tftp can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
tftp_anon_write = false

#
# Determine whether tftp can manage
# generic user home content.
# 
tftp_enable_homedir = false

#
# Determine whether tor can bind
# tcp sockets to all unreserved ports.
# 
tor_bind_all_unreserved_ports = false

#
# Determine whether varnishd can
# use the full TCP network.
# 
varnishd_connect_any = false

#
# Determine whether confined virtual guests
# can use serial/parallel communication ports.
# 
virt_use_comm = false

#
# Determine whether confined virtual guests
# can use executable memory and can make
# their stack executable.
# 
virt_use_execmem = false

#
# Determine whether confined virtual guests
# can use fuse file systems.
# 
virt_use_fusefs = false

#
# Determine whether confined virtual guests
# can use nfs file systems.
# 
virt_use_nfs = false

#
# Determine whether confined virtual guests
# can use cifs file systems.
# 
virt_use_samba = false

#
# Determine whether confined virtual guests
# can manage device configuration.
# 
virt_use_sysfs = false

#
# Determine whether confined virtual guests
# can use usb devices.
# 
virt_use_usb = false

#
# Determine whether confined virtual guests
# can interact with xserver.
# 
virt_use_xserver = false

#
# Determine whether confined virtual guests
# can use vfio for pci device pass through (vt-d).
# 
virt_use_vfio = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_w3c_validator_script_anon_write = false

#
# Allows clients to write to the X server shared
# memory segments.
# 
allow_write_xshm = false

#
# Allow xdm logins as sysadm
# 
xdm_sysadm_login = false

#
# Use gnome-shell in gdm mode as the
# X Display Manager (XDM)
# 
xserver_gnome_xdm = false

#
# Support X userspace object manager
# 
xserver_object_manager = false

#
# Determine whether zabbix can
# connect to all TCP ports
# 
zabbix_can_network = false

#
# Determine whether zebra daemon can
# manage its configuration files.
# 
allow_zebra_write_config = false

#
# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
# 
authlogin_nsswitch_use_ldap = false

#
# Enable support for upstart as the init program.
# 
init_upstart = false

#
# Allow all daemons the ability to read/write terminals
# 
init_daemons_use_tty = false

#
# Allow racoon to read shadow
# 
racoon_read_shadow = false

#
# Allow the mount command to mount any directory or file.
# 
allow_mount_anyfile = false

#
# Enable support for systemd-tmpfiles to manage all non-security files.
# 
systemd_tmpfiles_manage_all = false

#
# Allow systemd-nspawn to create a labelled namespace with the same types
# as parent environment
# 
systemd_nspawn_labeled_namespace = false

#
# Allow users to connect to mysql
# 
allow_user_mysql_connect = false

#
# Allow users to connect to PostgreSQL
# 
allow_user_postgresql_connect = false

#
# Allow regular users direct mouse access
# 
user_direct_mouse = false

#
# Allow users to read system messages.
# 
user_dmesg = false

#
# Allow user to r/w files on filesystems
# that do not have extended attributes (FAT, CDROM, FLOPPY)
# 
user_rw_noexattrfile = false

#
# Allow user to execute files on filesystems
# that do not have extended attributes (FAT, CDROM, FLOPPY)
# 
user_exec_noexattrfile = false

#
# Allow user to write files on removable
# devices (e.g. external USB memory
# devices or floppies)
# 
user_write_removable = false

#
# Allow w to display everyone
# 
user_ttyfile_stat = false

#
# Determine whether xend can
# run blktapctrl and tapdisk.
# 
xend_run_blktap = false

#
# Determine whether xen can
# use fusefs file systems.
# 
xen_use_fusefs = false

#
# Determine whether xen can
# use nfs file systems.
# 
xen_use_nfs = false

#
# Determine whether xen can
# use samba file systems.
# 
xen_use_samba = false

#
# Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
# 
allow_execheap = false

#
# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
# 
allow_execmem = false

#
# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
# 
allow_execmod = false

#
# Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
# 
allow_execstack = false

#
# Enable polyinstantiated directory support.
# 
allow_polyinstantiation = false

#
# Allow system to run with NIS
# 
allow_ypbind = false

#
# Allow logging in and using the system from /dev/console.
# 
console_login = true

#
# Enable reading of urandom for all domains.
# 
# 
# 
# 
# This should be enabled when all programs
# are compiled with ProPolice/SSP
# stack smashing protection.  All domains will
# be allowed to read from /dev/urandom.
# 
global_ssp = false

#
# Allow email client to various content.
# nfs, samba, removable devices, and user temp
# files
# 
mail_read_content = false

#
# Allow any files/directories to be exported read/write via NFS.
# 
nfs_export_all_rw = false

#
# Allow any files/directories to be exported read/only via NFS.
# 
nfs_export_all_ro = false

#
# Support NFS home directories
# 
use_nfs_home_dirs = false

#
# Support SAMBA home directories
# 
use_samba_home_dirs = false

#
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users)  disabling this forces FTP passive mode
# and may change other protocols.
# 
user_tcp_server = false

#
# Allow users to run UDP servers (bind to ports and accept connection from
# the same domain and outside users)
# 
user_udp_server = false