# # Disable kernel module loading. # secure_mode_insmod = false # # Boolean to determine whether the system permits loading policy, setting # enforcing mode, and changing boolean values. Set this to true and you # have to reboot to set it back. # secure_mode_policyload = false # # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative # user domains. # secure_mode = false # # Grant the firstboot domains read access to generic user content # firstboot_read_generic_user_content = true # # Grant the firstboot domains read access to all user content # firstboot_read_all_user_content = false # # Grant the firstboot domains manage rights on generic user content # firstboot_manage_generic_user_content = false # # Grant the firstboot domains manage rights on all user content # firstboot_manage_all_user_content = false # # Determine whether logwatch can connect # to mail over the network. # logwatch_can_network_connect_mail = false # # Determine whether mcelog supports # client mode. # mcelog_client = false # # Determine whether mcelog can execute scripts. # mcelog_exec_scripts = true # # Determine whether mcelog can use all # the user ttys. # mcelog_foreground = false # # Determine whether mcelog supports # server mode. # mcelog_server = false # # Determine whether mcelog can use syslog. # mcelog_syslog = false # # Control users use of ping and traceroute # user_ping = false # # Determine whether portage can # use nfs filesystems. # portage_use_nfs = false # # Determine whether puppet can # manage all non-security files. # puppet_manage_all_files = false # # Determine whether rkhunter can connect # to http ports. This is required by the # --update option. # rkhunter_connect_http = false # # Determine whether attempts by # vbetool to mmap low regions should # be silently blocked. # vbetool_mmap_zero_ignore = false # # Determine whether awstats can # purge httpd log files. # awstats_purge_apache_log_files = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_awstats_script_anon_write = false # # Determine whether cdrecord can read # various content. nfs, samba, removable # devices, user temp and untrusted # content files # cdrecord_read_content = false # # Allow evolution to create and write # user certificates in addition to # being able to read them # evolution_manage_user_certs = false # # Grant the evolution domains read access to generic user content # evolution_read_generic_user_content = true # # Grant the evolution domains read access to all user content # evolution_read_all_user_content = false # # Grant the evolution domains manage rights on generic user content # evolution_manage_generic_user_content = false # # Grant the evolution domains manage rights on all user content # evolution_manage_all_user_content = false # # Determine whether Gitosis can send mail. # gitosis_can_sendmail = false # # Determine whether GPG agent can manage # generic user home content files. This is # required by the --write-env-file option. # gpg_agent_env_file = false # # Determine whether GPG agent can use OpenPGP # cards or Yubikeys over USB # gpg_agent_use_card = false # # Grant the gpg domains read access to generic user content # gpg_read_generic_user_content = true # # Grant the gpg domains read access to all user content # gpg_read_all_user_content = false # # Grant the gpg domains manage rights on generic user content # gpg_manage_generic_user_content = false # # Grant the gpg domains manage rights on all user content # gpg_manage_all_user_content = false # # Determine whether irc clients can # listen on and connect to any # unreserved TCP ports. # irc_use_any_tcp_ports = false # # Grant the irc domains read access to generic user content # irc_read_generic_user_content = true # # Grant the irc domains read access to all user content # irc_read_all_user_content = false # # Grant the irc domains manage rights on generic user content # irc_manage_generic_user_content = false # # Grant the irc domains manage rights on all user content # irc_manage_all_user_content = false # # Determine whether java can make # its stack executable. # allow_java_execstack = false # # Grant the java domains read access to generic user content # java_read_generic_user_content = true # # Grant the java domains read access to all user content # java_read_all_user_content = false # # Grant the java domains manage rights on generic user content # java_manage_generic_user_content = false # # Grant the java domains manage rights on all user content # java_manage_all_user_content = false # # Determine whether libmtp can read # and manage the user home directories # and files. # libmtp_enable_home_dirs = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_lightsquid_script_anon_write = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_man2html_script_anon_write = false # # Determine whether mozilla can # make its stack executable. # mozilla_execstack = false # # Grant the mozilla domains read access to generic user content # mozilla_read_generic_user_content = true # # Grant the mozilla domains read access to all user content # mozilla_read_all_user_content = false # # Grant the mozilla domains manage rights on generic user content # mozilla_manage_generic_user_content = false # # Grant the mozilla domains manage rights on all user content # mozilla_manage_all_user_content = false # # Determine whether mplayer can make # its stack executable. # allow_mplayer_execstack = false # # Grant the mplayer_mencoder domains read access to generic user content # mplayer_mencoder_read_generic_user_content = true # # Grant the mplayer_mencoder domains read access to all user content # mplayer_mencoder_read_all_user_content = false # # Grant the mplayer_mencoder domains manage rights on generic user content # mplayer_mencoder_manage_generic_user_content = false # # Grant the mplayer_mencoder domains manage rights on all user content # mplayer_mencoder_manage_all_user_content = false # # Grant the mplayer domains read access to generic user content # mplayer_read_generic_user_content = true # # Grant the mplayer domains read access to all user content # mplayer_read_all_user_content = false # # Grant the mplayer domains manage rights on generic user content # mplayer_manage_generic_user_content = false # # Grant the mplayer domains manage rights on all user content # mplayer_manage_all_user_content = false # # Determine whether openoffice can # download software updates from the # network (application and/or # extensions). # openoffice_allow_update = true # # Determine whether openoffice writer # can send emails directly (print to # email). This is different from the # functionality of sending emails # through external clients which is # always enabled. # openoffice_allow_email = false # # Grant the openoffice domains read access to generic user content # openoffice_read_generic_user_content = true # # Grant the openoffice domains read access to all user content # openoffice_read_all_user_content = false # # Grant the openoffice domains manage rights on generic user content # openoffice_manage_generic_user_content = false # # Grant the openoffice domains manage rights on all user content # openoffice_manage_all_user_content = false # # Allow pulseaudio to execute code in # writable memory # pulseaudio_execmem = false # # Determine whether qemu has full # access to the network. # qemu_full_network = false # # Grant the syncthing domains read access to generic user content # syncthing_read_generic_user_content = true # # Grant the syncthing domains read access to all user content # syncthing_read_all_user_content = false # # Grant the syncthing domains manage rights on generic user content # syncthing_manage_generic_user_content = false # # Grant the syncthing domains manage rights on all user content # syncthing_manage_all_user_content = false # # Determine whether telepathy connection # managers can connect to generic tcp ports. # telepathy_tcp_connect_generic_network_ports = false # # Determine whether telepathy connection # managers can connect to any port. # telepathy_connect_all_ports = false # # Grant the thunderbird domains read access to generic user content # thunderbird_read_generic_user_content = true # # Grant the thunderbird domains read access to all user content # thunderbird_read_all_user_content = false # # Grant the thunderbird domains manage rights on generic user content # thunderbird_manage_generic_user_content = false # # Grant the thunderbird domains manage rights on all user content # thunderbird_manage_all_user_content = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_webalizer_script_anon_write = false # # Determine whether attempts by # wine to mmap low regions should # be silently blocked. # wine_mmap_zero_ignore = false # # Grant the wireshark domains read access to generic user content # wireshark_read_generic_user_content = true # # Grant the wireshark domains read access to all user content # wireshark_read_all_user_content = false # # Grant the wireshark domains manage rights on generic user content # wireshark_manage_generic_user_content = false # # Grant the wireshark domains manage rights on all user content # wireshark_manage_all_user_content = false # # Grant the xscreensaver domains read access to generic user content # xscreensaver_read_generic_user_content = true # # Control the ability to mmap a low area of the address space, # as configured by /proc/sys/kernel/mmap_min_addr. # mmap_low_allowed = false # # Determine whether dbadm can manage # generic user files. # dbadm_manage_user_files = false # # Determine whether dbadm can read # generic user files. # dbadm_read_user_files = false # # Allow sysadm to debug or ptrace all processes. # allow_ptrace = false # # Determine whether webadm can # manage generic user files. # webadm_manage_user_files = false # # Determine whether webadm can # read generic user files. # webadm_read_user_files = false # # Determine whether xguest can # mount removable media. # xguest_mount_media = false # # Determine whether xguest can # configure network manager. # xguest_connect_network = false # # Determine whether xguest can # use blue tooth devices. # xguest_use_bluetooth = false # # Determine whether ABRT can modify # public files used for public file # transfer services. # abrt_anon_write = false # # Determine whether abrt-handle-upload # can modify public files used for public file # transfer services in /var/spool/abrt-upload/. # abrt_upload_watch_anon_write = true # # Determine whether ABRT can run in # the abrt_handle_event_t domain to # handle ABRT event scripts. # abrt_handle_event = false # # Determine whether amavis can # use JIT compiler. # amavis_use_jit = false # # Determine whether httpd can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_anon_write = false # # Determine whether httpd can use mod_auth_pam. # allow_httpd_mod_auth_pam = false # # Determine whether httpd can use built in scripting. # httpd_builtin_scripting = false # # Determine whether httpd can check spam. # httpd_can_check_spam = false # # Determine whether httpd scripts and modules # can connect to the network using TCP. # httpd_can_network_connect = false # # Determine whether httpd scripts and modules # can connect to cobbler over the network. # httpd_can_network_connect_cobbler = false # # Determine whether scripts and modules can # connect to databases over the network. # httpd_can_network_connect_db = false # # Determine whether httpd can connect to # ldap over the network. # httpd_can_network_connect_ldap = false # # Determine whether httpd can connect # to memcache server over the network. # httpd_can_network_connect_memcache = false # # Determine whether httpd can act as a relay. # httpd_can_network_relay = false # # Determine whether httpd daemon can # connect to zabbix over the network. # httpd_can_network_connect_zabbix = false # # Determine whether httpd can send mail. # httpd_can_sendmail = false # # Determine whether httpd can communicate # with avahi service via dbus. # httpd_dbus_avahi = false # # Determine wether httpd can use support. # httpd_enable_cgi = false # # Determine whether httpd can act as a # FTP server by listening on the ftp port. # httpd_enable_ftp_server = false # # Determine whether httpd can traverse # user home directories. # httpd_enable_homedirs = false # # Determine whether httpd gpg can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # httpd_gpg_anon_write = false # # Determine whether httpd can execute # its temporary content. # httpd_tmp_exec = false # # Determine whether httpd scripts and # modules can use execmem and execstack. # httpd_execmem = false # # Determine whether httpd can connect # to port 80 for graceful shutdown. # httpd_graceful_shutdown = false # # Determine whether httpd can # manage IPA content files. # httpd_manage_ipa = false # # Determine whether httpd can use mod_auth_ntlm_winbind. # httpd_mod_auth_ntlm_winbind = false # # Determine whether httpd can read # generic user home content files. # httpd_read_user_content = false # # Determine whether httpd can change # its resource limits. # httpd_setrlimit = false # # Determine whether httpd can run # SSI executables in the same domain # as system CGI scripts. # httpd_ssi_exec = false # # Determine whether httpd can communicate # with the terminal. Needed for entering the # passphrase for certificates at the terminal. # httpd_tty_comm = false # # Determine whether httpd can have full access # to its content types. # httpd_unified = false # # Determine whether httpd can use # cifs file systems. # httpd_use_cifs = false # # Determine whether httpd can # use fuse file systems. # httpd_use_fusefs = false # # Determine whether httpd can use gpg. # httpd_use_gpg = false # # Determine whether httpd can use # nfs file systems. # httpd_use_nfs = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_sys_script_anon_write = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_user_script_anon_write = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_unconfined_script_anon_write = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_apcupsd_cgi_script_anon_write = false # # Determine whether Bind can bind tcp socket to http ports. # named_tcp_bind_http_port = false # # Determine whether Bind can write to master zone files. # Generally this is used for dynamic DNS or zone transfers. # named_write_master_zones = false # # Determine whether boinc can execmem/execstack. # boinc_execmem = true # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_bugzilla_script_anon_write = false # # Determine whether clamscan can # read user content files. # clamav_read_user_content_files_clamscan = false # # Determine whether clamscan can read # all non-security files. # clamav_read_all_non_security_files_clamscan = false # # Determine whether can clamd use JIT compiler. # clamd_use_jit = false # # Determine whether Cobbler can modify # public files used for public file # transfer services. # cobbler_anon_write = false # # Determine whether Cobbler can connect # to the network using TCP. # cobbler_can_network_connect = false # # Determine whether Cobbler can access # cifs file systems. # cobbler_use_cifs = false # # Determine whether Cobbler can access # nfs file systems. # cobbler_use_nfs = false # # Determine whether collectd can connect # to the network using TCP. # collectd_tcp_network_connect = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_collectd_script_anon_write = false # # Determine whether Condor can connect # to the network using TCP. # condor_tcp_network_connect = false # # Determine whether system cron jobs # can relabel filesystem for # restoring file contexts. # cron_can_relabel = false # # Determine whether crond can execute jobs # in the user domain as opposed to the # the generic cronjob domain. # cron_userdomain_transition = false # # Determine whether extra rules # should be enabled to support fcron. # fcron_crond = false # # Grant the cron domains read access to generic user content # cron_read_generic_user_content = true # # Grant the cron domains read access to all user content # cron_read_all_user_content = false # # Grant the cron domains manage rights on generic user content # cron_manage_generic_user_content = false # # Grant the cron domains manage rights on all user content # cron_manage_all_user_content = false # # Determine whether cvs can read shadow # password files. # allow_cvs_read_shadow = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_cvs_script_anon_write = false # # Determine whether DHCP daemon # can use LDAP backends. # dhcpd_use_ldap = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_dspam_script_anon_write = false # # Determine whether entropyd can use # audio devices as the source for # the entropy feeds. # entropyd_use_audio = false # # Determine whether exim can connect to # databases. # exim_can_connect_db = false # # Determine whether exim can read generic # user content files. # exim_read_user_files = false # # Determine whether exim can create, # read, write, and delete generic user # content files. # exim_manage_user_files = false # # Determine whether ftpd can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_ftpd_anon_write = false # # Determine whether ftpd can login to # local users and can read and write # all files on the system, governed by DAC. # allow_ftpd_full_access = false # # Determine whether ftpd can use CIFS # used for public file transfer services. # allow_ftpd_use_cifs = false # # Determine whether ftpd can use NFS # used for public file transfer services. # allow_ftpd_use_nfs = false # # Determine whether ftpd can connect to # databases over the TCP network. # ftpd_connect_db = false # # Determine whether ftpd can bind to all # unreserved ports for passive mode. # ftpd_use_passive_mode = false # # Determine whether ftpd can connect to # all unreserved ports. # ftpd_connect_all_unreserved = false # # Determine whether ftpd can read and write # files in user home directories. # ftp_home_dir = false # # Determine whether sftpd can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # sftpd_anon_write = false # # Determine whether sftpd-can read and write # files in user home directories. # sftpd_enable_homedirs = false # # Determine whether sftpd-can login to # local users and read and write all # files on the system, governed by DAC. # sftpd_full_access = false # # Determine whether sftpd can read and write # files in user ssh home directories. # sftpd_write_ssh_home = false # # Determine whether Git CGI # can search home directories. # git_cgi_enable_homedirs = false # # Determine whether Git CGI # can access cifs file systems. # git_cgi_use_cifs = false # # Determine whether Git CGI # can access nfs file systems. # git_cgi_use_nfs = false # # Determine whether Git session daemon # can bind TCP sockets to all # unreserved ports. # git_session_bind_all_unreserved_ports = false # # Determine whether calling user domains # can execute Git daemon in the # git_session_t domain. # git_session_users = false # # Determine whether Git session daemons # can send syslog messages. # git_session_send_syslog_msg = false # # Determine whether Git system daemon # can search home directories. # git_system_enable_homedirs = false # # Determine whether Git system daemon # can access cifs file systems. # git_system_use_cifs = false # # Determine whether Git system daemon # can access nfs file systems. # git_system_use_nfs = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_git_script_anon_write = false # # Grant the i18n_input domains read access to generic user content # i18n_input_read_generic_user_content = true # # Determine whether icecast can listen # on and connect to any TCP port. # icecast_use_any_tcp_ports = false # # Determine whether kerberos is supported. # allow_kerberos = false # # Determine whether to support lpd server. # use_lpd_server = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_mediawiki_script_anon_write = false # # Determine whether minidlna can read generic user content. # minidlna_read_generic_user_content = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_mojomojo_script_anon_write = false # # Allow monit to start/stop services # monit_startstop_services = false # # Determine whether mpd can traverse # user home directories. # mpd_enable_homedirs = false # # Determine whether mpd can use # cifs file systems. # mpd_use_cifs = false # # Determine whether mpd can use # nfs file systems. # mpd_use_nfs = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_munin_script_anon_write = false # # Determine whether mysqld can # connect to all TCP ports. # mysql_connect_any = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_nagios_script_anon_write = false # # Determine whether confined applications # can use nscd shared memory. # nscd_use_shm = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_nutups_cgi_script_anon_write = false # # Determine whether openvpn can # read generic user home content files. # openvpn_enable_homedirs = false # # Determine whether openvpn can # connect to the TCP network. # openvpn_can_network_connect = false # # Determine whether Polipo system # daemon can access CIFS file systems. # polipo_system_use_cifs = false # # Determine whether Polipo system # daemon can access NFS file systems. # polipo_system_use_nfs = false # # Determine whether calling user domains # can execute Polipo daemon in the # polipo_session_t domain. # polipo_session_users = false # # Determine whether Polipo session daemon # can send syslog messages. # polipo_session_send_syslog_msg = false # # Determine whether postfix local # can manage mail spool content. # postfix_local_write_mail_spool = true # # Grant the postfix domains read access to generic user content # postfix_read_generic_user_content = true # # Grant the postfix domains read access to all user content # postfix_read_all_user_content = false # # Grant the postfix domains manage rights on generic user content # postfix_manage_generic_user_content = false # # Grant the postfix domains manage rights on all user content # postfix_manage_all_user_content = false # # Allow unprived users to execute DDL statement # sepgsql_enable_users_ddl = false # # Allow transmit client label to foreign database # sepgsql_transmit_client_label = false # # Allow database admins to execute DML statement # sepgsql_unconfined_dbadm = false # # Determine whether pppd can # load kernel modules. # pppd_can_insmod = false # # Determine whether common users can # run pppd with a domain transition. # pppd_for_user = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_prewikka_script_anon_write = false # # Determine whether privoxy can # connect to all tcp ports. # privoxy_connect_any = false # # Determine whether rgmanager can # connect to the network using TCP. # rgmanager_can_network_connect = false # # Determine whether fenced can # connect to the TCP network. # fenced_can_network_connect = false # # Determine whether fenced can use ssh. # fenced_can_ssh = false # # Determine whether gssd can read # generic user temporary content. # allow_gssd_read_tmp = false # # Determine whether gssd can write # generic user temporary content. # allow_gssd_write_tmp = false # # Determine whether nfs can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_nfsd_anon_write = false # # Determine whether rsync can use # cifs file systems. # rsync_use_cifs = false # # Determine whether rsync can # use fuse file systems. # rsync_use_fusefs = false # # Determine whether rsync can use # nfs file systems. # rsync_use_nfs = false # # Determine whether rsync can # run as a client # rsync_client = false # # Determine whether rsync can # export all content read only. # rsync_export_all_ro = false # # Determine whether rsync can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_rsync_anon_write = false # # Determine whether smbd_t can # read shadow files. # samba_read_shadow = false # # Determine whether samba can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_smbd_anon_write = false # # Determine whether samba can # create home directories via pam. # samba_create_home_dirs = false # # Determine whether samba can act as the # domain controller, add users, groups # and change passwords. # samba_domain_controller = false # # Determine whether samba can # act as a portmapper. # samba_portmapper = false # # Determine whether samba can share # users home directories. # samba_enable_home_dirs = false # # Determine whether samba can share # any content read only. # samba_export_all_ro = false # # Determine whether samba can share any # content readable and writable. # samba_export_all_rw = false # # Determine whether samba can # run unconfined scripts. # samba_run_unconfined = false # # Determine whether samba can # use nfs file systems. # samba_share_nfs = false # # Determine whether samba can # use fuse file systems. # samba_share_fusefs = false # # Determine whether sanlock can use # nfs file systems. # sanlock_use_nfs = false # # Determine whether sanlock can use # cifs file systems. # sanlock_use_samba = false # # Determine whether sasl can # read shadow files. # allow_saslauthd_read_shadow = false # # Determine whether smartmon can support # devices on 3ware controllers. # smartmon_3ware = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_smokeping_cgi_script_anon_write = false # # Determine whether spamassassin # clients can use the network. # spamassassin_can_network = false # # Determine whether spamd can manage # generic user home content. # spamd_enable_home_dirs = false # # Determine whether squid can # connect to all TCP ports. # squid_connect_any = false # # Determine whether squid can run # as a transparent proxy. # squid_use_tproxy = false # # Determine whether squid can use the # pinger daemon (needs raw net access) # squid_use_pinger = true # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_squid_script_anon_write = false # # allow host key based authentication # allow_ssh_keysign = false # # Allow ssh logins as sysadm_r:sysadm_t # ssh_sysadm_login = false # # Allow ssh to use gpg-agent # ssh_use_gpg_agent = false # # Determine whether tftp can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # tftp_anon_write = false # # Determine whether tftp can manage # generic user home content. # tftp_enable_homedir = false # # Determine whether tor can bind # tcp sockets to all unreserved ports. # tor_bind_all_unreserved_ports = false # # Determine whether varnishd can # use the full TCP network. # varnishd_connect_any = false # # Determine whether confined virtual guests # can use serial/parallel communication ports. # virt_use_comm = false # # Determine whether confined virtual guests # can use executable memory and can make # their stack executable. # virt_use_execmem = false # # Determine whether confined virtual guests # can use fuse file systems. # virt_use_fusefs = false # # Determine whether confined virtual guests # can use nfs file systems. # virt_use_nfs = false # # Determine whether confined virtual guests # can use cifs file systems. # virt_use_samba = false # # Determine whether confined virtual guests # can manage device configuration. # virt_use_sysfs = false # # Determine whether confined virtual guests # can use usb devices. # virt_use_usb = false # # Determine whether confined virtual guests # can interact with xserver. # virt_use_xserver = false # # Determine whether confined virtual guests # can use vfio for pci device pass through (vt-d). # virt_use_vfio = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_w3c_validator_script_anon_write = false # # Allows clients to write to the X server shared # memory segments. # allow_write_xshm = false # # Allow xdm logins as sysadm # xdm_sysadm_login = false # # Use gnome-shell in gdm mode as the # X Display Manager (XDM) # xserver_gnome_xdm = false # # Support X userspace object manager # xserver_object_manager = false # # Determine whether zabbix can # connect to all TCP ports # zabbix_can_network = false # # Determine whether zebra daemon can # manage its configuration files. # allow_zebra_write_config = false # # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server # authlogin_nsswitch_use_ldap = false # # Enable support for upstart as the init program. # init_upstart = false # # Allow all daemons the ability to read/write terminals # init_daemons_use_tty = false # # Allow racoon to read shadow # racoon_read_shadow = false # # Allow the mount command to mount any directory or file. # allow_mount_anyfile = false # # Enable support for systemd-tmpfiles to manage all non-security files. # systemd_tmpfiles_manage_all = false # # Allow systemd-nspawn to create a labelled namespace with the same types # as parent environment # systemd_nspawn_labeled_namespace = false # # Allow users to connect to mysql # allow_user_mysql_connect = false # # Allow users to connect to PostgreSQL # allow_user_postgresql_connect = false # # Allow regular users direct mouse access # user_direct_mouse = false # # Allow users to read system messages. # user_dmesg = false # # Allow user to r/w files on filesystems # that do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # # Allow user to execute files on filesystems # that do not have extended attributes (FAT, CDROM, FLOPPY) # user_exec_noexattrfile = false # # Allow user to write files on removable # devices (e.g. external USB memory # devices or floppies) # user_write_removable = false # # Allow w to display everyone # user_ttyfile_stat = false # # Determine whether xend can # run blktapctrl and tapdisk. # xend_run_blktap = false # # Determine whether xen can # use fusefs file systems. # xen_use_fusefs = false # # Determine whether xen can # use nfs file systems. # xen_use_nfs = false # # Determine whether xen can # use samba file systems. # xen_use_samba = false # # Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla # allow_execheap = false # # Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # allow_execmem = false # # Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") # allow_execmod = false # # Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # allow_execstack = false # # Enable polyinstantiated directory support. # allow_polyinstantiation = false # # Allow system to run with NIS # allow_ypbind = false # # Allow logging in and using the system from /dev/console. # console_login = true # # Enable reading of urandom for all domains. # # # # # This should be enabled when all programs # are compiled with ProPolice/SSP # stack smashing protection. All domains will # be allowed to read from /dev/urandom. # global_ssp = false # # Allow email client to various content. # nfs, samba, removable devices, and user temp # files # mail_read_content = false # # Allow any files/directories to be exported read/write via NFS. # nfs_export_all_rw = false # # Allow any files/directories to be exported read/only via NFS. # nfs_export_all_ro = false # # Support NFS home directories # use_nfs_home_dirs = false # # Support SAMBA home directories # use_samba_home_dirs = false # # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols. # user_tcp_server = false # # Allow users to run UDP servers (bind to ports and accept connection from # the same domain and outside users) # user_udp_server = false