1
0
selinux-policy/booleans-minimum.conf

1849 lines
35 KiB
Plaintext
Raw Normal View History

#
# Disable kernel module loading.
#
secure_mode_insmod = false
#
# Boolean to determine whether the system permits loading policy, setting
# enforcing mode, and changing boolean values. Set this to true and you
# have to reboot to set it back.
#
secure_mode_policyload = false
#
# Enabling secure mode disallows programs, such as
# newrole, from transitioning to administrative
# user domains.
#
secure_mode = false
#
# Grant the firstboot domains read access to generic user content
#
firstboot_read_generic_user_content = true
#
# Grant the firstboot domains read access to all user content
#
firstboot_read_all_user_content = false
#
# Grant the firstboot domains manage rights on generic user content
#
firstboot_manage_generic_user_content = false
#
# Grant the firstboot domains manage rights on all user content
#
firstboot_manage_all_user_content = false
#
# Determine whether logwatch can connect
# to mail over the network.
#
logwatch_can_network_connect_mail = false
#
# Determine whether mcelog supports
# client mode.
#
mcelog_client = false
#
# Determine whether mcelog can execute scripts.
#
mcelog_exec_scripts = true
#
# Determine whether mcelog can use all
# the user ttys.
#
mcelog_foreground = false
#
# Determine whether mcelog supports
# server mode.
#
mcelog_server = false
#
# Determine whether mcelog can use syslog.
#
mcelog_syslog = false
#
# Control users use of ping and traceroute
#
user_ping = false
#
# Determine whether portage can
# use nfs filesystems.
#
portage_use_nfs = false
#
# Determine whether puppet can
# manage all non-security files.
#
puppet_manage_all_files = false
#
# Determine whether rkhunter can connect
# to http ports. This is required by the
# --update option.
#
rkhunter_connect_http = false
#
# Determine whether attempts by
# vbetool to mmap low regions should
# be silently blocked.
#
vbetool_mmap_zero_ignore = false
#
# Determine whether awstats can
# purge httpd log files.
#
awstats_purge_apache_log_files = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_awstats_script_anon_write = false
#
# Determine whether cdrecord can read
# various content. nfs, samba, removable
# devices, user temp and untrusted
# content files
#
cdrecord_read_content = false
#
# Allow evolution to create and write
# user certificates in addition to
# being able to read them
#
evolution_manage_user_certs = false
#
# Grant the evolution domains read access to generic user content
#
evolution_read_generic_user_content = true
#
# Grant the evolution domains read access to all user content
#
evolution_read_all_user_content = false
#
# Grant the evolution domains manage rights on generic user content
#
evolution_manage_generic_user_content = false
#
# Grant the evolution domains manage rights on all user content
#
evolution_manage_all_user_content = false
#
# Determine whether Gitosis can send mail.
#
gitosis_can_sendmail = false
#
# Determine whether GPG agent can manage
# generic user home content files. This is
# required by the --write-env-file option.
#
gpg_agent_env_file = false
#
# Determine whether GPG agent can use OpenPGP
# cards or Yubikeys over USB
#
gpg_agent_use_card = false
#
# Grant the gpg domains read access to generic user content
#
gpg_read_generic_user_content = true
#
# Grant the gpg domains read access to all user content
#
gpg_read_all_user_content = false
#
# Grant the gpg domains manage rights on generic user content
#
gpg_manage_generic_user_content = false
#
# Grant the gpg domains manage rights on all user content
#
gpg_manage_all_user_content = false
#
# Determine whether irc clients can
# listen on and connect to any
# unreserved TCP ports.
#
irc_use_any_tcp_ports = false
#
# Grant the irc domains read access to generic user content
#
irc_read_generic_user_content = true
#
# Grant the irc domains read access to all user content
#
irc_read_all_user_content = false
#
# Grant the irc domains manage rights on generic user content
#
irc_manage_generic_user_content = false
#
# Grant the irc domains manage rights on all user content
#
irc_manage_all_user_content = false
#
# Determine whether java can make
# its stack executable.
#
allow_java_execstack = false
#
# Grant the java domains read access to generic user content
#
java_read_generic_user_content = true
#
# Grant the java domains read access to all user content
#
java_read_all_user_content = false
#
# Grant the java domains manage rights on generic user content
#
java_manage_generic_user_content = false
#
# Grant the java domains manage rights on all user content
#
java_manage_all_user_content = false
#
# Determine whether libmtp can read
# and manage the user home directories
# and files.
#
libmtp_enable_home_dirs = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_lightsquid_script_anon_write = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_man2html_script_anon_write = false
#
# Determine whether mozilla can
# make its stack executable.
#
mozilla_execstack = false
#
# Grant the mozilla domains read access to generic user content
#
mozilla_read_generic_user_content = true
#
# Grant the mozilla domains read access to all user content
#
mozilla_read_all_user_content = false
#
# Grant the mozilla domains manage rights on generic user content
#
mozilla_manage_generic_user_content = false
#
# Grant the mozilla domains manage rights on all user content
#
mozilla_manage_all_user_content = false
#
# Determine whether mplayer can make
# its stack executable.
#
allow_mplayer_execstack = false
#
# Grant the mplayer_mencoder domains read access to generic user content
#
mplayer_mencoder_read_generic_user_content = true
#
# Grant the mplayer_mencoder domains read access to all user content
#
mplayer_mencoder_read_all_user_content = false
#
# Grant the mplayer_mencoder domains manage rights on generic user content
#
mplayer_mencoder_manage_generic_user_content = false
#
# Grant the mplayer_mencoder domains manage rights on all user content
#
mplayer_mencoder_manage_all_user_content = false
#
# Grant the mplayer domains read access to generic user content
#
mplayer_read_generic_user_content = true
#
# Grant the mplayer domains read access to all user content
#
mplayer_read_all_user_content = false
#
# Grant the mplayer domains manage rights on generic user content
#
mplayer_manage_generic_user_content = false
#
# Grant the mplayer domains manage rights on all user content
#
mplayer_manage_all_user_content = false
#
# Determine whether openoffice can
# download software updates from the
# network (application and/or
# extensions).
#
openoffice_allow_update = true
#
# Determine whether openoffice writer
# can send emails directly (print to
# email). This is different from the
# functionality of sending emails
# through external clients which is
# always enabled.
#
openoffice_allow_email = false
#
# Grant the openoffice domains read access to generic user content
#
openoffice_read_generic_user_content = true
#
# Grant the openoffice domains read access to all user content
#
openoffice_read_all_user_content = false
#
# Grant the openoffice domains manage rights on generic user content
#
openoffice_manage_generic_user_content = false
#
# Grant the openoffice domains manage rights on all user content
#
openoffice_manage_all_user_content = false
#
# Allow pulseaudio to execute code in
# writable memory
#
pulseaudio_execmem = false
#
# Determine whether qemu has full
# access to the network.
#
qemu_full_network = false
#
# Grant the syncthing domains read access to generic user content
#
syncthing_read_generic_user_content = true
#
# Grant the syncthing domains read access to all user content
#
syncthing_read_all_user_content = false
#
# Grant the syncthing domains manage rights on generic user content
#
syncthing_manage_generic_user_content = false
#
# Grant the syncthing domains manage rights on all user content
#
syncthing_manage_all_user_content = false
#
# Determine whether telepathy connection
# managers can connect to generic tcp ports.
#
telepathy_tcp_connect_generic_network_ports = false
#
# Determine whether telepathy connection
# managers can connect to any port.
#
telepathy_connect_all_ports = false
#
# Grant the thunderbird domains read access to generic user content
#
thunderbird_read_generic_user_content = true
#
# Grant the thunderbird domains read access to all user content
#
thunderbird_read_all_user_content = false
#
# Grant the thunderbird domains manage rights on generic user content
#
thunderbird_manage_generic_user_content = false
#
# Grant the thunderbird domains manage rights on all user content
#
thunderbird_manage_all_user_content = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_webalizer_script_anon_write = false
#
# Determine whether attempts by
# wine to mmap low regions should
# be silently blocked.
#
wine_mmap_zero_ignore = false
#
# Grant the wireshark domains read access to generic user content
#
wireshark_read_generic_user_content = true
#
# Grant the wireshark domains read access to all user content
#
wireshark_read_all_user_content = false
#
# Grant the wireshark domains manage rights on generic user content
#
wireshark_manage_generic_user_content = false
#
# Grant the wireshark domains manage rights on all user content
#
wireshark_manage_all_user_content = false
#
# Grant the xscreensaver domains read access to generic user content
#
xscreensaver_read_generic_user_content = true
#
# Control the ability to mmap a low area of the address space,
# as configured by /proc/sys/kernel/mmap_min_addr.
#
mmap_low_allowed = false
#
# Determine whether dbadm can manage
# generic user files.
#
dbadm_manage_user_files = false
#
# Determine whether dbadm can read
# generic user files.
#
dbadm_read_user_files = false
#
# Allow sysadm to debug or ptrace all processes.
#
allow_ptrace = false
#
# Determine whether webadm can
# manage generic user files.
#
webadm_manage_user_files = false
#
# Determine whether webadm can
# read generic user files.
#
webadm_read_user_files = false
#
# Determine whether xguest can
# mount removable media.
#
xguest_mount_media = false
#
# Determine whether xguest can
# configure network manager.
#
xguest_connect_network = false
#
# Determine whether xguest can
# use blue tooth devices.
#
xguest_use_bluetooth = false
#
# Determine whether ABRT can modify
# public files used for public file
# transfer services.
#
abrt_anon_write = false
#
# Determine whether abrt-handle-upload
# can modify public files used for public file
# transfer services in /var/spool/abrt-upload/.
#
abrt_upload_watch_anon_write = true
#
# Determine whether ABRT can run in
# the abrt_handle_event_t domain to
# handle ABRT event scripts.
#
abrt_handle_event = false
#
# Determine whether amavis can
# use JIT compiler.
#
amavis_use_jit = false
#
# Determine whether httpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_anon_write = false
#
# Determine whether httpd can use mod_auth_pam.
#
allow_httpd_mod_auth_pam = false
#
# Determine whether httpd can use built in scripting.
#
httpd_builtin_scripting = false
#
# Determine whether httpd can check spam.
#
httpd_can_check_spam = false
#
# Determine whether httpd scripts and modules
# can connect to the network using TCP.
#
httpd_can_network_connect = false
#
# Determine whether httpd scripts and modules
# can connect to cobbler over the network.
#
httpd_can_network_connect_cobbler = false
#
# Determine whether scripts and modules can
# connect to databases over the network.
#
httpd_can_network_connect_db = false
#
# Determine whether httpd can connect to
# ldap over the network.
#
httpd_can_network_connect_ldap = false
#
# Determine whether httpd can connect
# to memcache server over the network.
#
httpd_can_network_connect_memcache = false
#
# Determine whether httpd can act as a relay.
#
httpd_can_network_relay = false
#
# Determine whether httpd daemon can
# connect to zabbix over the network.
#
httpd_can_network_connect_zabbix = false
#
# Determine whether httpd can send mail.
#
httpd_can_sendmail = false
#
# Determine whether httpd can communicate
# with avahi service via dbus.
#
httpd_dbus_avahi = false
#
# Determine wether httpd can use support.
#
httpd_enable_cgi = false
#
# Determine whether httpd can act as a
# FTP server by listening on the ftp port.
#
httpd_enable_ftp_server = false
#
# Determine whether httpd can traverse
# user home directories.
#
httpd_enable_homedirs = false
#
# Determine whether httpd gpg can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
httpd_gpg_anon_write = false
#
# Determine whether httpd can execute
# its temporary content.
#
httpd_tmp_exec = false
#
# Determine whether httpd scripts and
# modules can use execmem and execstack.
#
httpd_execmem = false
#
# Determine whether httpd can connect
# to port 80 for graceful shutdown.
#
httpd_graceful_shutdown = false
#
# Determine whether httpd can
# manage IPA content files.
#
httpd_manage_ipa = false
#
# Determine whether httpd can use mod_auth_ntlm_winbind.
#
httpd_mod_auth_ntlm_winbind = false
#
# Determine whether httpd can read
# generic user home content files.
#
httpd_read_user_content = false
#
# Determine whether httpd can change
# its resource limits.
#
httpd_setrlimit = false
#
# Determine whether httpd can run
# SSI executables in the same domain
# as system CGI scripts.
#
httpd_ssi_exec = false
#
# Determine whether httpd can communicate
# with the terminal. Needed for entering the
# passphrase for certificates at the terminal.
#
httpd_tty_comm = false
#
# Determine whether httpd can have full access
# to its content types.
#
httpd_unified = false
#
# Determine whether httpd can use
# cifs file systems.
#
httpd_use_cifs = false
#
# Determine whether httpd can
# use fuse file systems.
#
httpd_use_fusefs = false
#
# Determine whether httpd can use gpg.
#
httpd_use_gpg = false
#
# Determine whether httpd can use
# nfs file systems.
#
httpd_use_nfs = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_sys_script_anon_write = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_user_script_anon_write = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_unconfined_script_anon_write = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_apcupsd_cgi_script_anon_write = false
#
# Determine whether Bind can bind tcp socket to http ports.
#
named_tcp_bind_http_port = false
#
# Determine whether Bind can write to master zone files.
# Generally this is used for dynamic DNS or zone transfers.
#
named_write_master_zones = false
#
# Determine whether boinc can execmem/execstack.
#
boinc_execmem = true
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_bugzilla_script_anon_write = false
#
# Determine whether clamscan can
# read user content files.
#
clamav_read_user_content_files_clamscan = false
#
# Determine whether clamscan can read
# all non-security files.
#
clamav_read_all_non_security_files_clamscan = false
#
# Determine whether can clamd use JIT compiler.
#
clamd_use_jit = false
#
# Determine whether Cobbler can modify
# public files used for public file
# transfer services.
#
cobbler_anon_write = false
#
# Determine whether Cobbler can connect
# to the network using TCP.
#
cobbler_can_network_connect = false
#
# Determine whether Cobbler can access
# cifs file systems.
#
cobbler_use_cifs = false
#
# Determine whether Cobbler can access
# nfs file systems.
#
cobbler_use_nfs = false
#
# Determine whether collectd can connect
# to the network using TCP.
#
collectd_tcp_network_connect = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_collectd_script_anon_write = false
#
# Determine whether Condor can connect
# to the network using TCP.
#
condor_tcp_network_connect = false
#
# Determine whether system cron jobs
# can relabel filesystem for
# restoring file contexts.
#
cron_can_relabel = false
#
# Determine whether crond can execute jobs
# in the user domain as opposed to the
# the generic cronjob domain.
#
cron_userdomain_transition = false
#
# Determine whether extra rules
# should be enabled to support fcron.
#
fcron_crond = false
#
# Grant the cron domains read access to generic user content
#
cron_read_generic_user_content = true
#
# Grant the cron domains read access to all user content
#
cron_read_all_user_content = false
#
# Grant the cron domains manage rights on generic user content
#
cron_manage_generic_user_content = false
#
# Grant the cron domains manage rights on all user content
#
cron_manage_all_user_content = false
#
# Determine whether cvs can read shadow
# password files.
#
allow_cvs_read_shadow = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_cvs_script_anon_write = false
#
# Determine whether DHCP daemon
# can use LDAP backends.
#
dhcpd_use_ldap = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_dspam_script_anon_write = false
#
# Determine whether entropyd can use
# audio devices as the source for
# the entropy feeds.
#
entropyd_use_audio = false
#
# Determine whether exim can connect to
# databases.
#
exim_can_connect_db = false
#
# Determine whether exim can read generic
# user content files.
#
exim_read_user_files = false
#
# Determine whether exim can create,
# read, write, and delete generic user
# content files.
#
exim_manage_user_files = false
#
# Determine whether ftpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_ftpd_anon_write = false
#
# Determine whether ftpd can login to
# local users and can read and write
# all files on the system, governed by DAC.
#
allow_ftpd_full_access = false
#
# Determine whether ftpd can use CIFS
# used for public file transfer services.
#
allow_ftpd_use_cifs = false
#
# Determine whether ftpd can use NFS
# used for public file transfer services.
#
allow_ftpd_use_nfs = false
#
# Determine whether ftpd can connect to
# databases over the TCP network.
#
ftpd_connect_db = false
#
# Determine whether ftpd can bind to all
# unreserved ports for passive mode.
#
ftpd_use_passive_mode = false
#
# Determine whether ftpd can connect to
# all unreserved ports.
#
ftpd_connect_all_unreserved = false
#
# Determine whether ftpd can read and write
# files in user home directories.
#
ftp_home_dir = false
#
# Determine whether sftpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
sftpd_anon_write = false
#
# Determine whether sftpd-can read and write
# files in user home directories.
#
sftpd_enable_homedirs = false
#
# Determine whether sftpd-can login to
# local users and read and write all
# files on the system, governed by DAC.
#
sftpd_full_access = false
#
# Determine whether sftpd can read and write
# files in user ssh home directories.
#
sftpd_write_ssh_home = false
#
# Determine whether Git CGI
# can search home directories.
#
git_cgi_enable_homedirs = false
#
# Determine whether Git CGI
# can access cifs file systems.
#
git_cgi_use_cifs = false
#
# Determine whether Git CGI
# can access nfs file systems.
#
git_cgi_use_nfs = false
#
# Determine whether Git session daemon
# can bind TCP sockets to all
# unreserved ports.
#
git_session_bind_all_unreserved_ports = false
#
# Determine whether calling user domains
# can execute Git daemon in the
# git_session_t domain.
#
git_session_users = false
#
# Determine whether Git session daemons
# can send syslog messages.
#
git_session_send_syslog_msg = false
#
# Determine whether Git system daemon
# can search home directories.
#
git_system_enable_homedirs = false
#
# Determine whether Git system daemon
# can access cifs file systems.
#
git_system_use_cifs = false
#
# Determine whether Git system daemon
# can access nfs file systems.
#
git_system_use_nfs = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_git_script_anon_write = false
#
# Grant the i18n_input domains read access to generic user content
#
i18n_input_read_generic_user_content = true
#
# Determine whether icecast can listen
# on and connect to any TCP port.
#
icecast_use_any_tcp_ports = false
#
# Determine whether kerberos is supported.
#
allow_kerberos = false
#
# Determine whether to support lpd server.
#
use_lpd_server = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_mediawiki_script_anon_write = false
#
# Determine whether minidlna can read generic user content.
#
minidlna_read_generic_user_content = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_mojomojo_script_anon_write = false
#
# Allow monit to start/stop services
#
monit_startstop_services = false
#
# Determine whether mpd can traverse
# user home directories.
#
mpd_enable_homedirs = false
#
# Determine whether mpd can use
# cifs file systems.
#
mpd_use_cifs = false
#
# Determine whether mpd can use
# nfs file systems.
#
mpd_use_nfs = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_munin_script_anon_write = false
#
# Determine whether mysqld can
# connect to all TCP ports.
#
mysql_connect_any = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_nagios_script_anon_write = false
#
# Determine whether confined applications
# can use nscd shared memory.
#
nscd_use_shm = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_nutups_cgi_script_anon_write = false
#
# Determine whether openvpn can
# read generic user home content files.
#
openvpn_enable_homedirs = false
#
# Determine whether openvpn can
# connect to the TCP network.
#
openvpn_can_network_connect = false
#
# Determine whether Polipo system
# daemon can access CIFS file systems.
#
polipo_system_use_cifs = false
#
# Determine whether Polipo system
# daemon can access NFS file systems.
#
polipo_system_use_nfs = false
#
# Determine whether calling user domains
# can execute Polipo daemon in the
# polipo_session_t domain.
#
polipo_session_users = false
#
# Determine whether Polipo session daemon
# can send syslog messages.
#
polipo_session_send_syslog_msg = false
#
# Determine whether postfix local
# can manage mail spool content.
#
postfix_local_write_mail_spool = true
#
# Grant the postfix domains read access to generic user content
#
postfix_read_generic_user_content = true
#
# Grant the postfix domains read access to all user content
#
postfix_read_all_user_content = false
#
# Grant the postfix domains manage rights on generic user content
#
postfix_manage_generic_user_content = false
#
# Grant the postfix domains manage rights on all user content
#
postfix_manage_all_user_content = false
#
# Allow unprived users to execute DDL statement
#
sepgsql_enable_users_ddl = false
#
# Allow transmit client label to foreign database
#
sepgsql_transmit_client_label = false
#
# Allow database admins to execute DML statement
#
sepgsql_unconfined_dbadm = false
#
# Determine whether pppd can
# load kernel modules.
#
pppd_can_insmod = false
#
# Determine whether common users can
# run pppd with a domain transition.
#
pppd_for_user = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_prewikka_script_anon_write = false
#
# Determine whether privoxy can
# connect to all tcp ports.
#
privoxy_connect_any = false
#
# Determine whether rgmanager can
# connect to the network using TCP.
#
rgmanager_can_network_connect = false
#
# Determine whether fenced can
# connect to the TCP network.
#
fenced_can_network_connect = false
#
# Determine whether fenced can use ssh.
#
fenced_can_ssh = false
#
# Determine whether gssd can read
# generic user temporary content.
#
allow_gssd_read_tmp = false
#
# Determine whether gssd can write
# generic user temporary content.
#
allow_gssd_write_tmp = false
#
# Determine whether nfs can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_nfsd_anon_write = false
#
# Determine whether rsync can use
# cifs file systems.
#
rsync_use_cifs = false
#
# Determine whether rsync can
# use fuse file systems.
#
rsync_use_fusefs = false
#
# Determine whether rsync can use
# nfs file systems.
#
rsync_use_nfs = false
#
# Determine whether rsync can
# run as a client
#
rsync_client = false
#
# Determine whether rsync can
# export all content read only.
#
rsync_export_all_ro = false
#
# Determine whether rsync can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_rsync_anon_write = false
#
# Determine whether smbd_t can
# read shadow files.
#
samba_read_shadow = false
#
# Determine whether samba can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_smbd_anon_write = false
#
# Determine whether samba can
# create home directories via pam.
#
samba_create_home_dirs = false
#
# Determine whether samba can act as the
# domain controller, add users, groups
# and change passwords.
#
samba_domain_controller = false
#
# Determine whether samba can
# act as a portmapper.
#
samba_portmapper = false
#
# Determine whether samba can share
# users home directories.
#
samba_enable_home_dirs = false
#
# Determine whether samba can share
# any content read only.
#
samba_export_all_ro = false
#
# Determine whether samba can share any
# content readable and writable.
#
samba_export_all_rw = false
#
# Determine whether samba can
# run unconfined scripts.
#
samba_run_unconfined = false
#
# Determine whether samba can
# use nfs file systems.
#
samba_share_nfs = false
#
# Determine whether samba can
# use fuse file systems.
#
samba_share_fusefs = false
#
# Determine whether sanlock can use
# nfs file systems.
#
sanlock_use_nfs = false
#
# Determine whether sanlock can use
# cifs file systems.
#
sanlock_use_samba = false
#
# Determine whether sasl can
# read shadow files.
#
allow_saslauthd_read_shadow = false
#
# Determine whether smartmon can support
# devices on 3ware controllers.
#
smartmon_3ware = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_smokeping_cgi_script_anon_write = false
#
# Determine whether spamassassin
# clients can use the network.
#
spamassassin_can_network = false
#
# Determine whether spamd can manage
# generic user home content.
#
spamd_enable_home_dirs = false
#
# Determine whether squid can
# connect to all TCP ports.
#
squid_connect_any = false
#
# Determine whether squid can run
# as a transparent proxy.
#
squid_use_tproxy = false
#
# Determine whether squid can use the
# pinger daemon (needs raw net access)
#
squid_use_pinger = true
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_squid_script_anon_write = false
#
# allow host key based authentication
#
allow_ssh_keysign = false
#
# Allow ssh logins as sysadm_r:sysadm_t
#
ssh_sysadm_login = false
#
# Allow ssh to use gpg-agent
#
ssh_use_gpg_agent = false
#
# Determine whether tftp can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
tftp_anon_write = false
#
# Determine whether tftp can manage
# generic user home content.
#
tftp_enable_homedir = false
#
# Determine whether tor can bind
# tcp sockets to all unreserved ports.
#
tor_bind_all_unreserved_ports = false
#
# Determine whether varnishd can
# use the full TCP network.
#
varnishd_connect_any = false
#
# Determine whether confined virtual guests
# can use serial/parallel communication ports.
#
virt_use_comm = false
#
# Determine whether confined virtual guests
# can use executable memory and can make
# their stack executable.
#
virt_use_execmem = false
#
# Determine whether confined virtual guests
# can use fuse file systems.
#
virt_use_fusefs = false
#
# Determine whether confined virtual guests
# can use nfs file systems.
#
virt_use_nfs = false
#
# Determine whether confined virtual guests
# can use cifs file systems.
#
virt_use_samba = false
#
# Determine whether confined virtual guests
# can manage device configuration.
#
virt_use_sysfs = false
#
# Determine whether confined virtual guests
# can use usb devices.
#
virt_use_usb = false
#
# Determine whether confined virtual guests
# can interact with xserver.
#
virt_use_xserver = false
#
# Determine whether confined virtual guests
# can use vfio for pci device pass through (vt-d).
#
virt_use_vfio = false
#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
#
allow_httpd_w3c_validator_script_anon_write = false
#
# Allows clients to write to the X server shared
# memory segments.
#
allow_write_xshm = false
#
# Allow xdm logins as sysadm
#
xdm_sysadm_login = false
#
# Use gnome-shell in gdm mode as the
# X Display Manager (XDM)
#
xserver_gnome_xdm = false
#
# Support X userspace object manager
#
xserver_object_manager = false
#
# Determine whether zabbix can
# connect to all TCP ports
#
zabbix_can_network = false
#
# Determine whether zebra daemon can
# manage its configuration files.
#
allow_zebra_write_config = false
#
# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
#
authlogin_nsswitch_use_ldap = false
#
# Enable support for upstart as the init program.
#
init_upstart = false
#
# Allow all daemons the ability to read/write terminals
#
init_daemons_use_tty = false
#
# Allow racoon to read shadow
#
racoon_read_shadow = false
#
# Allow the mount command to mount any directory or file.
#
allow_mount_anyfile = false
#
# Enable support for systemd-tmpfiles to manage all non-security files.
#
systemd_tmpfiles_manage_all = false
#
# Allow systemd-nspawn to create a labelled namespace with the same types
# as parent environment
#
systemd_nspawn_labeled_namespace = false
#
# Allow users to connect to mysql
#
allow_user_mysql_connect = false
#
# Allow users to connect to PostgreSQL
#
allow_user_postgresql_connect = false
#
# Allow regular users direct mouse access
#
user_direct_mouse = false
#
# Allow users to read system messages.
#
user_dmesg = false
#
# Allow user to r/w files on filesystems
# that do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false
#
# Allow user to execute files on filesystems
# that do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_exec_noexattrfile = false
#
# Allow user to write files on removable
# devices (e.g. external USB memory
# devices or floppies)
#
user_write_removable = false
#
# Allow w to display everyone
#
user_ttyfile_stat = false
#
# Determine whether xend can
# run blktapctrl and tapdisk.
#
xend_run_blktap = false
#
# Determine whether xen can
# use fusefs file systems.
#
xen_use_fusefs = false
#
# Determine whether xen can
# use nfs file systems.
#
xen_use_nfs = false
#
# Determine whether xen can
# use samba file systems.
#
xen_use_samba = false
#
# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
#
allow_execheap = false
#
# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
#
allow_execmem = false
#
# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
#
allow_execmod = false
#
# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
#
allow_execstack = false
#
# Enable polyinstantiated directory support.
#
allow_polyinstantiation = false
#
# Allow system to run with NIS
#
allow_ypbind = false
#
# Allow logging in and using the system from /dev/console.
#
console_login = true
#
# Enable reading of urandom for all domains.
#
#
#
#
# This should be enabled when all programs
# are compiled with ProPolice/SSP
# stack smashing protection. All domains will
# be allowed to read from /dev/urandom.
#
global_ssp = false
#
# Allow email client to various content.
# nfs, samba, removable devices, and user temp
# files
#
mail_read_content = false
#
# Allow any files/directories to be exported read/write via NFS.
#
nfs_export_all_rw = false
#
# Allow any files/directories to be exported read/only via NFS.
#
nfs_export_all_ro = false
#
# Support NFS home directories
#
use_nfs_home_dirs = false
#
# Support SAMBA home directories
#
use_samba_home_dirs = false
#
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols.
#
user_tcp_server = false
#
# Allow users to run UDP servers (bind to ports and accept connection from
# the same domain and outside users)
#
user_udp_server = false