forked from pool/selinux-policy
1849 lines
35 KiB
Plaintext
1849 lines
35 KiB
Plaintext
#
|
|
# Disable kernel module loading.
|
|
#
|
|
secure_mode_insmod = false
|
|
|
|
#
|
|
# Boolean to determine whether the system permits loading policy, setting
|
|
# enforcing mode, and changing boolean values. Set this to true and you
|
|
# have to reboot to set it back.
|
|
#
|
|
secure_mode_policyload = false
|
|
|
|
#
|
|
# Enabling secure mode disallows programs, such as
|
|
# newrole, from transitioning to administrative
|
|
# user domains.
|
|
#
|
|
secure_mode = false
|
|
|
|
#
|
|
# Grant the firstboot domains read access to generic user content
|
|
#
|
|
firstboot_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the firstboot domains read access to all user content
|
|
#
|
|
firstboot_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the firstboot domains manage rights on generic user content
|
|
#
|
|
firstboot_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the firstboot domains manage rights on all user content
|
|
#
|
|
firstboot_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether logwatch can connect
|
|
# to mail over the network.
|
|
#
|
|
logwatch_can_network_connect_mail = false
|
|
|
|
#
|
|
# Determine whether mcelog supports
|
|
# client mode.
|
|
#
|
|
mcelog_client = false
|
|
|
|
#
|
|
# Determine whether mcelog can execute scripts.
|
|
#
|
|
mcelog_exec_scripts = true
|
|
|
|
#
|
|
# Determine whether mcelog can use all
|
|
# the user ttys.
|
|
#
|
|
mcelog_foreground = false
|
|
|
|
#
|
|
# Determine whether mcelog supports
|
|
# server mode.
|
|
#
|
|
mcelog_server = false
|
|
|
|
#
|
|
# Determine whether mcelog can use syslog.
|
|
#
|
|
mcelog_syslog = false
|
|
|
|
#
|
|
# Control users use of ping and traceroute
|
|
#
|
|
user_ping = false
|
|
|
|
#
|
|
# Determine whether portage can
|
|
# use nfs filesystems.
|
|
#
|
|
portage_use_nfs = false
|
|
|
|
#
|
|
# Determine whether puppet can
|
|
# manage all non-security files.
|
|
#
|
|
puppet_manage_all_files = false
|
|
|
|
#
|
|
# Determine whether rkhunter can connect
|
|
# to http ports. This is required by the
|
|
# --update option.
|
|
#
|
|
rkhunter_connect_http = false
|
|
|
|
#
|
|
# Determine whether attempts by
|
|
# vbetool to mmap low regions should
|
|
# be silently blocked.
|
|
#
|
|
vbetool_mmap_zero_ignore = false
|
|
|
|
#
|
|
# Determine whether awstats can
|
|
# purge httpd log files.
|
|
#
|
|
awstats_purge_apache_log_files = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_awstats_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether cdrecord can read
|
|
# various content. nfs, samba, removable
|
|
# devices, user temp and untrusted
|
|
# content files
|
|
#
|
|
cdrecord_read_content = false
|
|
|
|
#
|
|
# Allow evolution to create and write
|
|
# user certificates in addition to
|
|
# being able to read them
|
|
#
|
|
evolution_manage_user_certs = false
|
|
|
|
#
|
|
# Grant the evolution domains read access to generic user content
|
|
#
|
|
evolution_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the evolution domains read access to all user content
|
|
#
|
|
evolution_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the evolution domains manage rights on generic user content
|
|
#
|
|
evolution_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the evolution domains manage rights on all user content
|
|
#
|
|
evolution_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether Gitosis can send mail.
|
|
#
|
|
gitosis_can_sendmail = false
|
|
|
|
#
|
|
# Determine whether GPG agent can manage
|
|
# generic user home content files. This is
|
|
# required by the --write-env-file option.
|
|
#
|
|
gpg_agent_env_file = false
|
|
|
|
#
|
|
# Determine whether GPG agent can use OpenPGP
|
|
# cards or Yubikeys over USB
|
|
#
|
|
gpg_agent_use_card = false
|
|
|
|
#
|
|
# Grant the gpg domains read access to generic user content
|
|
#
|
|
gpg_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the gpg domains read access to all user content
|
|
#
|
|
gpg_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the gpg domains manage rights on generic user content
|
|
#
|
|
gpg_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the gpg domains manage rights on all user content
|
|
#
|
|
gpg_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether irc clients can
|
|
# listen on and connect to any
|
|
# unreserved TCP ports.
|
|
#
|
|
irc_use_any_tcp_ports = false
|
|
|
|
#
|
|
# Grant the irc domains read access to generic user content
|
|
#
|
|
irc_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the irc domains read access to all user content
|
|
#
|
|
irc_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the irc domains manage rights on generic user content
|
|
#
|
|
irc_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the irc domains manage rights on all user content
|
|
#
|
|
irc_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether java can make
|
|
# its stack executable.
|
|
#
|
|
allow_java_execstack = false
|
|
|
|
#
|
|
# Grant the java domains read access to generic user content
|
|
#
|
|
java_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the java domains read access to all user content
|
|
#
|
|
java_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the java domains manage rights on generic user content
|
|
#
|
|
java_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the java domains manage rights on all user content
|
|
#
|
|
java_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether libmtp can read
|
|
# and manage the user home directories
|
|
# and files.
|
|
#
|
|
libmtp_enable_home_dirs = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_lightsquid_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_man2html_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether mozilla can
|
|
# make its stack executable.
|
|
#
|
|
mozilla_execstack = false
|
|
|
|
#
|
|
# Grant the mozilla domains read access to generic user content
|
|
#
|
|
mozilla_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the mozilla domains read access to all user content
|
|
#
|
|
mozilla_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the mozilla domains manage rights on generic user content
|
|
#
|
|
mozilla_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the mozilla domains manage rights on all user content
|
|
#
|
|
mozilla_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether mplayer can make
|
|
# its stack executable.
|
|
#
|
|
allow_mplayer_execstack = false
|
|
|
|
#
|
|
# Grant the mplayer_mencoder domains read access to generic user content
|
|
#
|
|
mplayer_mencoder_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the mplayer_mencoder domains read access to all user content
|
|
#
|
|
mplayer_mencoder_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the mplayer_mencoder domains manage rights on generic user content
|
|
#
|
|
mplayer_mencoder_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the mplayer_mencoder domains manage rights on all user content
|
|
#
|
|
mplayer_mencoder_manage_all_user_content = false
|
|
|
|
#
|
|
# Grant the mplayer domains read access to generic user content
|
|
#
|
|
mplayer_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the mplayer domains read access to all user content
|
|
#
|
|
mplayer_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the mplayer domains manage rights on generic user content
|
|
#
|
|
mplayer_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the mplayer domains manage rights on all user content
|
|
#
|
|
mplayer_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether openoffice can
|
|
# download software updates from the
|
|
# network (application and/or
|
|
# extensions).
|
|
#
|
|
openoffice_allow_update = true
|
|
|
|
#
|
|
# Determine whether openoffice writer
|
|
# can send emails directly (print to
|
|
# email). This is different from the
|
|
# functionality of sending emails
|
|
# through external clients which is
|
|
# always enabled.
|
|
#
|
|
openoffice_allow_email = false
|
|
|
|
#
|
|
# Grant the openoffice domains read access to generic user content
|
|
#
|
|
openoffice_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the openoffice domains read access to all user content
|
|
#
|
|
openoffice_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the openoffice domains manage rights on generic user content
|
|
#
|
|
openoffice_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the openoffice domains manage rights on all user content
|
|
#
|
|
openoffice_manage_all_user_content = false
|
|
|
|
#
|
|
# Allow pulseaudio to execute code in
|
|
# writable memory
|
|
#
|
|
pulseaudio_execmem = false
|
|
|
|
#
|
|
# Determine whether qemu has full
|
|
# access to the network.
|
|
#
|
|
qemu_full_network = false
|
|
|
|
#
|
|
# Grant the syncthing domains read access to generic user content
|
|
#
|
|
syncthing_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the syncthing domains read access to all user content
|
|
#
|
|
syncthing_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the syncthing domains manage rights on generic user content
|
|
#
|
|
syncthing_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the syncthing domains manage rights on all user content
|
|
#
|
|
syncthing_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether telepathy connection
|
|
# managers can connect to generic tcp ports.
|
|
#
|
|
telepathy_tcp_connect_generic_network_ports = false
|
|
|
|
#
|
|
# Determine whether telepathy connection
|
|
# managers can connect to any port.
|
|
#
|
|
telepathy_connect_all_ports = false
|
|
|
|
#
|
|
# Grant the thunderbird domains read access to generic user content
|
|
#
|
|
thunderbird_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the thunderbird domains read access to all user content
|
|
#
|
|
thunderbird_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the thunderbird domains manage rights on generic user content
|
|
#
|
|
thunderbird_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the thunderbird domains manage rights on all user content
|
|
#
|
|
thunderbird_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_webalizer_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether attempts by
|
|
# wine to mmap low regions should
|
|
# be silently blocked.
|
|
#
|
|
wine_mmap_zero_ignore = false
|
|
|
|
#
|
|
# Grant the wireshark domains read access to generic user content
|
|
#
|
|
wireshark_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the wireshark domains read access to all user content
|
|
#
|
|
wireshark_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the wireshark domains manage rights on generic user content
|
|
#
|
|
wireshark_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the wireshark domains manage rights on all user content
|
|
#
|
|
wireshark_manage_all_user_content = false
|
|
|
|
#
|
|
# Grant the xscreensaver domains read access to generic user content
|
|
#
|
|
xscreensaver_read_generic_user_content = true
|
|
|
|
#
|
|
# Control the ability to mmap a low area of the address space,
|
|
# as configured by /proc/sys/kernel/mmap_min_addr.
|
|
#
|
|
mmap_low_allowed = false
|
|
|
|
#
|
|
# Determine whether dbadm can manage
|
|
# generic user files.
|
|
#
|
|
dbadm_manage_user_files = false
|
|
|
|
#
|
|
# Determine whether dbadm can read
|
|
# generic user files.
|
|
#
|
|
dbadm_read_user_files = false
|
|
|
|
#
|
|
# Allow sysadm to debug or ptrace all processes.
|
|
#
|
|
allow_ptrace = false
|
|
|
|
#
|
|
# Determine whether webadm can
|
|
# manage generic user files.
|
|
#
|
|
webadm_manage_user_files = false
|
|
|
|
#
|
|
# Determine whether webadm can
|
|
# read generic user files.
|
|
#
|
|
webadm_read_user_files = false
|
|
|
|
#
|
|
# Determine whether xguest can
|
|
# mount removable media.
|
|
#
|
|
xguest_mount_media = false
|
|
|
|
#
|
|
# Determine whether xguest can
|
|
# configure network manager.
|
|
#
|
|
xguest_connect_network = false
|
|
|
|
#
|
|
# Determine whether xguest can
|
|
# use blue tooth devices.
|
|
#
|
|
xguest_use_bluetooth = false
|
|
|
|
#
|
|
# Determine whether ABRT can modify
|
|
# public files used for public file
|
|
# transfer services.
|
|
#
|
|
abrt_anon_write = false
|
|
|
|
#
|
|
# Determine whether abrt-handle-upload
|
|
# can modify public files used for public file
|
|
# transfer services in /var/spool/abrt-upload/.
|
|
#
|
|
abrt_upload_watch_anon_write = true
|
|
|
|
#
|
|
# Determine whether ABRT can run in
|
|
# the abrt_handle_event_t domain to
|
|
# handle ABRT event scripts.
|
|
#
|
|
abrt_handle_event = false
|
|
|
|
#
|
|
# Determine whether amavis can
|
|
# use JIT compiler.
|
|
#
|
|
amavis_use_jit = false
|
|
|
|
#
|
|
# Determine whether httpd can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_anon_write = false
|
|
|
|
#
|
|
# Determine whether httpd can use mod_auth_pam.
|
|
#
|
|
allow_httpd_mod_auth_pam = false
|
|
|
|
#
|
|
# Determine whether httpd can use built in scripting.
|
|
#
|
|
httpd_builtin_scripting = false
|
|
|
|
#
|
|
# Determine whether httpd can check spam.
|
|
#
|
|
httpd_can_check_spam = false
|
|
|
|
#
|
|
# Determine whether httpd scripts and modules
|
|
# can connect to the network using TCP.
|
|
#
|
|
httpd_can_network_connect = false
|
|
|
|
#
|
|
# Determine whether httpd scripts and modules
|
|
# can connect to cobbler over the network.
|
|
#
|
|
httpd_can_network_connect_cobbler = false
|
|
|
|
#
|
|
# Determine whether scripts and modules can
|
|
# connect to databases over the network.
|
|
#
|
|
httpd_can_network_connect_db = false
|
|
|
|
#
|
|
# Determine whether httpd can connect to
|
|
# ldap over the network.
|
|
#
|
|
httpd_can_network_connect_ldap = false
|
|
|
|
#
|
|
# Determine whether httpd can connect
|
|
# to memcache server over the network.
|
|
#
|
|
httpd_can_network_connect_memcache = false
|
|
|
|
#
|
|
# Determine whether httpd can act as a relay.
|
|
#
|
|
httpd_can_network_relay = false
|
|
|
|
#
|
|
# Determine whether httpd daemon can
|
|
# connect to zabbix over the network.
|
|
#
|
|
httpd_can_network_connect_zabbix = false
|
|
|
|
#
|
|
# Determine whether httpd can send mail.
|
|
#
|
|
httpd_can_sendmail = false
|
|
|
|
#
|
|
# Determine whether httpd can communicate
|
|
# with avahi service via dbus.
|
|
#
|
|
httpd_dbus_avahi = false
|
|
|
|
#
|
|
# Determine wether httpd can use support.
|
|
#
|
|
httpd_enable_cgi = false
|
|
|
|
#
|
|
# Determine whether httpd can act as a
|
|
# FTP server by listening on the ftp port.
|
|
#
|
|
httpd_enable_ftp_server = false
|
|
|
|
#
|
|
# Determine whether httpd can traverse
|
|
# user home directories.
|
|
#
|
|
httpd_enable_homedirs = false
|
|
|
|
#
|
|
# Determine whether httpd gpg can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
httpd_gpg_anon_write = false
|
|
|
|
#
|
|
# Determine whether httpd can execute
|
|
# its temporary content.
|
|
#
|
|
httpd_tmp_exec = false
|
|
|
|
#
|
|
# Determine whether httpd scripts and
|
|
# modules can use execmem and execstack.
|
|
#
|
|
httpd_execmem = false
|
|
|
|
#
|
|
# Determine whether httpd can connect
|
|
# to port 80 for graceful shutdown.
|
|
#
|
|
httpd_graceful_shutdown = false
|
|
|
|
#
|
|
# Determine whether httpd can
|
|
# manage IPA content files.
|
|
#
|
|
httpd_manage_ipa = false
|
|
|
|
#
|
|
# Determine whether httpd can use mod_auth_ntlm_winbind.
|
|
#
|
|
httpd_mod_auth_ntlm_winbind = false
|
|
|
|
#
|
|
# Determine whether httpd can read
|
|
# generic user home content files.
|
|
#
|
|
httpd_read_user_content = false
|
|
|
|
#
|
|
# Determine whether httpd can change
|
|
# its resource limits.
|
|
#
|
|
httpd_setrlimit = false
|
|
|
|
#
|
|
# Determine whether httpd can run
|
|
# SSI executables in the same domain
|
|
# as system CGI scripts.
|
|
#
|
|
httpd_ssi_exec = false
|
|
|
|
#
|
|
# Determine whether httpd can communicate
|
|
# with the terminal. Needed for entering the
|
|
# passphrase for certificates at the terminal.
|
|
#
|
|
httpd_tty_comm = false
|
|
|
|
#
|
|
# Determine whether httpd can have full access
|
|
# to its content types.
|
|
#
|
|
httpd_unified = false
|
|
|
|
#
|
|
# Determine whether httpd can use
|
|
# cifs file systems.
|
|
#
|
|
httpd_use_cifs = false
|
|
|
|
#
|
|
# Determine whether httpd can
|
|
# use fuse file systems.
|
|
#
|
|
httpd_use_fusefs = false
|
|
|
|
#
|
|
# Determine whether httpd can use gpg.
|
|
#
|
|
httpd_use_gpg = false
|
|
|
|
#
|
|
# Determine whether httpd can use
|
|
# nfs file systems.
|
|
#
|
|
httpd_use_nfs = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_sys_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_user_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_unconfined_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_apcupsd_cgi_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether Bind can bind tcp socket to http ports.
|
|
#
|
|
named_tcp_bind_http_port = false
|
|
|
|
#
|
|
# Determine whether Bind can write to master zone files.
|
|
# Generally this is used for dynamic DNS or zone transfers.
|
|
#
|
|
named_write_master_zones = false
|
|
|
|
#
|
|
# Determine whether boinc can execmem/execstack.
|
|
#
|
|
boinc_execmem = true
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_bugzilla_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether clamscan can
|
|
# read user content files.
|
|
#
|
|
clamav_read_user_content_files_clamscan = false
|
|
|
|
#
|
|
# Determine whether clamscan can read
|
|
# all non-security files.
|
|
#
|
|
clamav_read_all_non_security_files_clamscan = false
|
|
|
|
#
|
|
# Determine whether can clamd use JIT compiler.
|
|
#
|
|
clamd_use_jit = false
|
|
|
|
#
|
|
# Determine whether Cobbler can modify
|
|
# public files used for public file
|
|
# transfer services.
|
|
#
|
|
cobbler_anon_write = false
|
|
|
|
#
|
|
# Determine whether Cobbler can connect
|
|
# to the network using TCP.
|
|
#
|
|
cobbler_can_network_connect = false
|
|
|
|
#
|
|
# Determine whether Cobbler can access
|
|
# cifs file systems.
|
|
#
|
|
cobbler_use_cifs = false
|
|
|
|
#
|
|
# Determine whether Cobbler can access
|
|
# nfs file systems.
|
|
#
|
|
cobbler_use_nfs = false
|
|
|
|
#
|
|
# Determine whether collectd can connect
|
|
# to the network using TCP.
|
|
#
|
|
collectd_tcp_network_connect = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_collectd_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether Condor can connect
|
|
# to the network using TCP.
|
|
#
|
|
condor_tcp_network_connect = false
|
|
|
|
#
|
|
# Determine whether system cron jobs
|
|
# can relabel filesystem for
|
|
# restoring file contexts.
|
|
#
|
|
cron_can_relabel = false
|
|
|
|
#
|
|
# Determine whether crond can execute jobs
|
|
# in the user domain as opposed to the
|
|
# the generic cronjob domain.
|
|
#
|
|
cron_userdomain_transition = false
|
|
|
|
#
|
|
# Determine whether extra rules
|
|
# should be enabled to support fcron.
|
|
#
|
|
fcron_crond = false
|
|
|
|
#
|
|
# Grant the cron domains read access to generic user content
|
|
#
|
|
cron_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the cron domains read access to all user content
|
|
#
|
|
cron_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the cron domains manage rights on generic user content
|
|
#
|
|
cron_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the cron domains manage rights on all user content
|
|
#
|
|
cron_manage_all_user_content = false
|
|
|
|
#
|
|
# Determine whether cvs can read shadow
|
|
# password files.
|
|
#
|
|
allow_cvs_read_shadow = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_cvs_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether DHCP daemon
|
|
# can use LDAP backends.
|
|
#
|
|
dhcpd_use_ldap = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_dspam_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether entropyd can use
|
|
# audio devices as the source for
|
|
# the entropy feeds.
|
|
#
|
|
entropyd_use_audio = false
|
|
|
|
#
|
|
# Determine whether exim can connect to
|
|
# databases.
|
|
#
|
|
exim_can_connect_db = false
|
|
|
|
#
|
|
# Determine whether exim can read generic
|
|
# user content files.
|
|
#
|
|
exim_read_user_files = false
|
|
|
|
#
|
|
# Determine whether exim can create,
|
|
# read, write, and delete generic user
|
|
# content files.
|
|
#
|
|
exim_manage_user_files = false
|
|
|
|
#
|
|
# Determine whether ftpd can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_ftpd_anon_write = false
|
|
|
|
#
|
|
# Determine whether ftpd can login to
|
|
# local users and can read and write
|
|
# all files on the system, governed by DAC.
|
|
#
|
|
allow_ftpd_full_access = false
|
|
|
|
#
|
|
# Determine whether ftpd can use CIFS
|
|
# used for public file transfer services.
|
|
#
|
|
allow_ftpd_use_cifs = false
|
|
|
|
#
|
|
# Determine whether ftpd can use NFS
|
|
# used for public file transfer services.
|
|
#
|
|
allow_ftpd_use_nfs = false
|
|
|
|
#
|
|
# Determine whether ftpd can connect to
|
|
# databases over the TCP network.
|
|
#
|
|
ftpd_connect_db = false
|
|
|
|
#
|
|
# Determine whether ftpd can bind to all
|
|
# unreserved ports for passive mode.
|
|
#
|
|
ftpd_use_passive_mode = false
|
|
|
|
#
|
|
# Determine whether ftpd can connect to
|
|
# all unreserved ports.
|
|
#
|
|
ftpd_connect_all_unreserved = false
|
|
|
|
#
|
|
# Determine whether ftpd can read and write
|
|
# files in user home directories.
|
|
#
|
|
ftp_home_dir = false
|
|
|
|
#
|
|
# Determine whether sftpd can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
sftpd_anon_write = false
|
|
|
|
#
|
|
# Determine whether sftpd-can read and write
|
|
# files in user home directories.
|
|
#
|
|
sftpd_enable_homedirs = false
|
|
|
|
#
|
|
# Determine whether sftpd-can login to
|
|
# local users and read and write all
|
|
# files on the system, governed by DAC.
|
|
#
|
|
sftpd_full_access = false
|
|
|
|
#
|
|
# Determine whether sftpd can read and write
|
|
# files in user ssh home directories.
|
|
#
|
|
sftpd_write_ssh_home = false
|
|
|
|
#
|
|
# Determine whether Git CGI
|
|
# can search home directories.
|
|
#
|
|
git_cgi_enable_homedirs = false
|
|
|
|
#
|
|
# Determine whether Git CGI
|
|
# can access cifs file systems.
|
|
#
|
|
git_cgi_use_cifs = false
|
|
|
|
#
|
|
# Determine whether Git CGI
|
|
# can access nfs file systems.
|
|
#
|
|
git_cgi_use_nfs = false
|
|
|
|
#
|
|
# Determine whether Git session daemon
|
|
# can bind TCP sockets to all
|
|
# unreserved ports.
|
|
#
|
|
git_session_bind_all_unreserved_ports = false
|
|
|
|
#
|
|
# Determine whether calling user domains
|
|
# can execute Git daemon in the
|
|
# git_session_t domain.
|
|
#
|
|
git_session_users = false
|
|
|
|
#
|
|
# Determine whether Git session daemons
|
|
# can send syslog messages.
|
|
#
|
|
git_session_send_syslog_msg = false
|
|
|
|
#
|
|
# Determine whether Git system daemon
|
|
# can search home directories.
|
|
#
|
|
git_system_enable_homedirs = false
|
|
|
|
#
|
|
# Determine whether Git system daemon
|
|
# can access cifs file systems.
|
|
#
|
|
git_system_use_cifs = false
|
|
|
|
#
|
|
# Determine whether Git system daemon
|
|
# can access nfs file systems.
|
|
#
|
|
git_system_use_nfs = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_git_script_anon_write = false
|
|
|
|
#
|
|
# Grant the i18n_input domains read access to generic user content
|
|
#
|
|
i18n_input_read_generic_user_content = true
|
|
|
|
#
|
|
# Determine whether icecast can listen
|
|
# on and connect to any TCP port.
|
|
#
|
|
icecast_use_any_tcp_ports = false
|
|
|
|
#
|
|
# Determine whether kerberos is supported.
|
|
#
|
|
allow_kerberos = false
|
|
|
|
#
|
|
# Determine whether to support lpd server.
|
|
#
|
|
use_lpd_server = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_mediawiki_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether minidlna can read generic user content.
|
|
#
|
|
minidlna_read_generic_user_content = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_mojomojo_script_anon_write = false
|
|
|
|
#
|
|
# Allow monit to start/stop services
|
|
#
|
|
monit_startstop_services = false
|
|
|
|
#
|
|
# Determine whether mpd can traverse
|
|
# user home directories.
|
|
#
|
|
mpd_enable_homedirs = false
|
|
|
|
#
|
|
# Determine whether mpd can use
|
|
# cifs file systems.
|
|
#
|
|
mpd_use_cifs = false
|
|
|
|
#
|
|
# Determine whether mpd can use
|
|
# nfs file systems.
|
|
#
|
|
mpd_use_nfs = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_munin_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether mysqld can
|
|
# connect to all TCP ports.
|
|
#
|
|
mysql_connect_any = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_nagios_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether confined applications
|
|
# can use nscd shared memory.
|
|
#
|
|
nscd_use_shm = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_nutups_cgi_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether openvpn can
|
|
# read generic user home content files.
|
|
#
|
|
openvpn_enable_homedirs = false
|
|
|
|
#
|
|
# Determine whether openvpn can
|
|
# connect to the TCP network.
|
|
#
|
|
openvpn_can_network_connect = false
|
|
|
|
#
|
|
# Determine whether Polipo system
|
|
# daemon can access CIFS file systems.
|
|
#
|
|
polipo_system_use_cifs = false
|
|
|
|
#
|
|
# Determine whether Polipo system
|
|
# daemon can access NFS file systems.
|
|
#
|
|
polipo_system_use_nfs = false
|
|
|
|
#
|
|
# Determine whether calling user domains
|
|
# can execute Polipo daemon in the
|
|
# polipo_session_t domain.
|
|
#
|
|
polipo_session_users = false
|
|
|
|
#
|
|
# Determine whether Polipo session daemon
|
|
# can send syslog messages.
|
|
#
|
|
polipo_session_send_syslog_msg = false
|
|
|
|
#
|
|
# Determine whether postfix local
|
|
# can manage mail spool content.
|
|
#
|
|
postfix_local_write_mail_spool = true
|
|
|
|
#
|
|
# Grant the postfix domains read access to generic user content
|
|
#
|
|
postfix_read_generic_user_content = true
|
|
|
|
#
|
|
# Grant the postfix domains read access to all user content
|
|
#
|
|
postfix_read_all_user_content = false
|
|
|
|
#
|
|
# Grant the postfix domains manage rights on generic user content
|
|
#
|
|
postfix_manage_generic_user_content = false
|
|
|
|
#
|
|
# Grant the postfix domains manage rights on all user content
|
|
#
|
|
postfix_manage_all_user_content = false
|
|
|
|
#
|
|
# Allow unprived users to execute DDL statement
|
|
#
|
|
sepgsql_enable_users_ddl = false
|
|
|
|
#
|
|
# Allow transmit client label to foreign database
|
|
#
|
|
sepgsql_transmit_client_label = false
|
|
|
|
#
|
|
# Allow database admins to execute DML statement
|
|
#
|
|
sepgsql_unconfined_dbadm = false
|
|
|
|
#
|
|
# Determine whether pppd can
|
|
# load kernel modules.
|
|
#
|
|
pppd_can_insmod = false
|
|
|
|
#
|
|
# Determine whether common users can
|
|
# run pppd with a domain transition.
|
|
#
|
|
pppd_for_user = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_prewikka_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether privoxy can
|
|
# connect to all tcp ports.
|
|
#
|
|
privoxy_connect_any = false
|
|
|
|
#
|
|
# Determine whether rgmanager can
|
|
# connect to the network using TCP.
|
|
#
|
|
rgmanager_can_network_connect = false
|
|
|
|
#
|
|
# Determine whether fenced can
|
|
# connect to the TCP network.
|
|
#
|
|
fenced_can_network_connect = false
|
|
|
|
#
|
|
# Determine whether fenced can use ssh.
|
|
#
|
|
fenced_can_ssh = false
|
|
|
|
#
|
|
# Determine whether gssd can read
|
|
# generic user temporary content.
|
|
#
|
|
allow_gssd_read_tmp = false
|
|
|
|
#
|
|
# Determine whether gssd can write
|
|
# generic user temporary content.
|
|
#
|
|
allow_gssd_write_tmp = false
|
|
|
|
#
|
|
# Determine whether nfs can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_nfsd_anon_write = false
|
|
|
|
#
|
|
# Determine whether rsync can use
|
|
# cifs file systems.
|
|
#
|
|
rsync_use_cifs = false
|
|
|
|
#
|
|
# Determine whether rsync can
|
|
# use fuse file systems.
|
|
#
|
|
rsync_use_fusefs = false
|
|
|
|
#
|
|
# Determine whether rsync can use
|
|
# nfs file systems.
|
|
#
|
|
rsync_use_nfs = false
|
|
|
|
#
|
|
# Determine whether rsync can
|
|
# run as a client
|
|
#
|
|
rsync_client = false
|
|
|
|
#
|
|
# Determine whether rsync can
|
|
# export all content read only.
|
|
#
|
|
rsync_export_all_ro = false
|
|
|
|
#
|
|
# Determine whether rsync can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_rsync_anon_write = false
|
|
|
|
#
|
|
# Determine whether smbd_t can
|
|
# read shadow files.
|
|
#
|
|
samba_read_shadow = false
|
|
|
|
#
|
|
# Determine whether samba can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_smbd_anon_write = false
|
|
|
|
#
|
|
# Determine whether samba can
|
|
# create home directories via pam.
|
|
#
|
|
samba_create_home_dirs = false
|
|
|
|
#
|
|
# Determine whether samba can act as the
|
|
# domain controller, add users, groups
|
|
# and change passwords.
|
|
#
|
|
samba_domain_controller = false
|
|
|
|
#
|
|
# Determine whether samba can
|
|
# act as a portmapper.
|
|
#
|
|
samba_portmapper = false
|
|
|
|
#
|
|
# Determine whether samba can share
|
|
# users home directories.
|
|
#
|
|
samba_enable_home_dirs = false
|
|
|
|
#
|
|
# Determine whether samba can share
|
|
# any content read only.
|
|
#
|
|
samba_export_all_ro = false
|
|
|
|
#
|
|
# Determine whether samba can share any
|
|
# content readable and writable.
|
|
#
|
|
samba_export_all_rw = false
|
|
|
|
#
|
|
# Determine whether samba can
|
|
# run unconfined scripts.
|
|
#
|
|
samba_run_unconfined = false
|
|
|
|
#
|
|
# Determine whether samba can
|
|
# use nfs file systems.
|
|
#
|
|
samba_share_nfs = false
|
|
|
|
#
|
|
# Determine whether samba can
|
|
# use fuse file systems.
|
|
#
|
|
samba_share_fusefs = false
|
|
|
|
#
|
|
# Determine whether sanlock can use
|
|
# nfs file systems.
|
|
#
|
|
sanlock_use_nfs = false
|
|
|
|
#
|
|
# Determine whether sanlock can use
|
|
# cifs file systems.
|
|
#
|
|
sanlock_use_samba = false
|
|
|
|
#
|
|
# Determine whether sasl can
|
|
# read shadow files.
|
|
#
|
|
allow_saslauthd_read_shadow = false
|
|
|
|
#
|
|
# Determine whether smartmon can support
|
|
# devices on 3ware controllers.
|
|
#
|
|
smartmon_3ware = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_smokeping_cgi_script_anon_write = false
|
|
|
|
#
|
|
# Determine whether spamassassin
|
|
# clients can use the network.
|
|
#
|
|
spamassassin_can_network = false
|
|
|
|
#
|
|
# Determine whether spamd can manage
|
|
# generic user home content.
|
|
#
|
|
spamd_enable_home_dirs = false
|
|
|
|
#
|
|
# Determine whether squid can
|
|
# connect to all TCP ports.
|
|
#
|
|
squid_connect_any = false
|
|
|
|
#
|
|
# Determine whether squid can run
|
|
# as a transparent proxy.
|
|
#
|
|
squid_use_tproxy = false
|
|
|
|
#
|
|
# Determine whether squid can use the
|
|
# pinger daemon (needs raw net access)
|
|
#
|
|
squid_use_pinger = true
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_squid_script_anon_write = false
|
|
|
|
#
|
|
# allow host key based authentication
|
|
#
|
|
allow_ssh_keysign = false
|
|
|
|
#
|
|
# Allow ssh logins as sysadm_r:sysadm_t
|
|
#
|
|
ssh_sysadm_login = false
|
|
|
|
#
|
|
# Allow ssh to use gpg-agent
|
|
#
|
|
ssh_use_gpg_agent = false
|
|
|
|
#
|
|
# Determine whether tftp can modify
|
|
# public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
tftp_anon_write = false
|
|
|
|
#
|
|
# Determine whether tftp can manage
|
|
# generic user home content.
|
|
#
|
|
tftp_enable_homedir = false
|
|
|
|
#
|
|
# Determine whether tor can bind
|
|
# tcp sockets to all unreserved ports.
|
|
#
|
|
tor_bind_all_unreserved_ports = false
|
|
|
|
#
|
|
# Determine whether varnishd can
|
|
# use the full TCP network.
|
|
#
|
|
varnishd_connect_any = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can use serial/parallel communication ports.
|
|
#
|
|
virt_use_comm = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can use executable memory and can make
|
|
# their stack executable.
|
|
#
|
|
virt_use_execmem = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can use fuse file systems.
|
|
#
|
|
virt_use_fusefs = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can use nfs file systems.
|
|
#
|
|
virt_use_nfs = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can use cifs file systems.
|
|
#
|
|
virt_use_samba = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can manage device configuration.
|
|
#
|
|
virt_use_sysfs = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can use usb devices.
|
|
#
|
|
virt_use_usb = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can interact with xserver.
|
|
#
|
|
virt_use_xserver = false
|
|
|
|
#
|
|
# Determine whether confined virtual guests
|
|
# can use vfio for pci device pass through (vt-d).
|
|
#
|
|
virt_use_vfio = false
|
|
|
|
#
|
|
# Determine whether the script domain can
|
|
# modify public files used for public file
|
|
# transfer services. Directories/Files must
|
|
# be labeled public_content_rw_t.
|
|
#
|
|
allow_httpd_w3c_validator_script_anon_write = false
|
|
|
|
#
|
|
# Allows clients to write to the X server shared
|
|
# memory segments.
|
|
#
|
|
allow_write_xshm = false
|
|
|
|
#
|
|
# Allow xdm logins as sysadm
|
|
#
|
|
xdm_sysadm_login = false
|
|
|
|
#
|
|
# Use gnome-shell in gdm mode as the
|
|
# X Display Manager (XDM)
|
|
#
|
|
xserver_gnome_xdm = false
|
|
|
|
#
|
|
# Support X userspace object manager
|
|
#
|
|
xserver_object_manager = false
|
|
|
|
#
|
|
# Determine whether zabbix can
|
|
# connect to all TCP ports
|
|
#
|
|
zabbix_can_network = false
|
|
|
|
#
|
|
# Determine whether zebra daemon can
|
|
# manage its configuration files.
|
|
#
|
|
allow_zebra_write_config = false
|
|
|
|
#
|
|
# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
|
|
#
|
|
authlogin_nsswitch_use_ldap = false
|
|
|
|
#
|
|
# Enable support for upstart as the init program.
|
|
#
|
|
init_upstart = false
|
|
|
|
#
|
|
# Allow all daemons the ability to read/write terminals
|
|
#
|
|
init_daemons_use_tty = false
|
|
|
|
#
|
|
# Allow racoon to read shadow
|
|
#
|
|
racoon_read_shadow = false
|
|
|
|
#
|
|
# Allow the mount command to mount any directory or file.
|
|
#
|
|
allow_mount_anyfile = false
|
|
|
|
#
|
|
# Enable support for systemd-tmpfiles to manage all non-security files.
|
|
#
|
|
systemd_tmpfiles_manage_all = false
|
|
|
|
#
|
|
# Allow systemd-nspawn to create a labelled namespace with the same types
|
|
# as parent environment
|
|
#
|
|
systemd_nspawn_labeled_namespace = false
|
|
|
|
#
|
|
# Allow users to connect to mysql
|
|
#
|
|
allow_user_mysql_connect = false
|
|
|
|
#
|
|
# Allow users to connect to PostgreSQL
|
|
#
|
|
allow_user_postgresql_connect = false
|
|
|
|
#
|
|
# Allow regular users direct mouse access
|
|
#
|
|
user_direct_mouse = false
|
|
|
|
#
|
|
# Allow users to read system messages.
|
|
#
|
|
user_dmesg = false
|
|
|
|
#
|
|
# Allow user to r/w files on filesystems
|
|
# that do not have extended attributes (FAT, CDROM, FLOPPY)
|
|
#
|
|
user_rw_noexattrfile = false
|
|
|
|
#
|
|
# Allow user to execute files on filesystems
|
|
# that do not have extended attributes (FAT, CDROM, FLOPPY)
|
|
#
|
|
user_exec_noexattrfile = false
|
|
|
|
#
|
|
# Allow user to write files on removable
|
|
# devices (e.g. external USB memory
|
|
# devices or floppies)
|
|
#
|
|
user_write_removable = false
|
|
|
|
#
|
|
# Allow w to display everyone
|
|
#
|
|
user_ttyfile_stat = false
|
|
|
|
#
|
|
# Determine whether xend can
|
|
# run blktapctrl and tapdisk.
|
|
#
|
|
xend_run_blktap = false
|
|
|
|
#
|
|
# Determine whether xen can
|
|
# use fusefs file systems.
|
|
#
|
|
xen_use_fusefs = false
|
|
|
|
#
|
|
# Determine whether xen can
|
|
# use nfs file systems.
|
|
#
|
|
xen_use_nfs = false
|
|
|
|
#
|
|
# Determine whether xen can
|
|
# use samba file systems.
|
|
#
|
|
xen_use_samba = false
|
|
|
|
#
|
|
# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
|
|
#
|
|
allow_execheap = false
|
|
|
|
#
|
|
# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
|
|
#
|
|
allow_execmem = false
|
|
|
|
#
|
|
# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
|
|
#
|
|
allow_execmod = false
|
|
|
|
#
|
|
# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
|
|
#
|
|
allow_execstack = false
|
|
|
|
#
|
|
# Enable polyinstantiated directory support.
|
|
#
|
|
allow_polyinstantiation = false
|
|
|
|
#
|
|
# Allow system to run with NIS
|
|
#
|
|
allow_ypbind = false
|
|
|
|
#
|
|
# Allow logging in and using the system from /dev/console.
|
|
#
|
|
console_login = true
|
|
|
|
#
|
|
# Enable reading of urandom for all domains.
|
|
#
|
|
#
|
|
#
|
|
#
|
|
# This should be enabled when all programs
|
|
# are compiled with ProPolice/SSP
|
|
# stack smashing protection. All domains will
|
|
# be allowed to read from /dev/urandom.
|
|
#
|
|
global_ssp = false
|
|
|
|
#
|
|
# Allow email client to various content.
|
|
# nfs, samba, removable devices, and user temp
|
|
# files
|
|
#
|
|
mail_read_content = false
|
|
|
|
#
|
|
# Allow any files/directories to be exported read/write via NFS.
|
|
#
|
|
nfs_export_all_rw = false
|
|
|
|
#
|
|
# Allow any files/directories to be exported read/only via NFS.
|
|
#
|
|
nfs_export_all_ro = false
|
|
|
|
#
|
|
# Support NFS home directories
|
|
#
|
|
use_nfs_home_dirs = false
|
|
|
|
#
|
|
# Support SAMBA home directories
|
|
#
|
|
use_samba_home_dirs = false
|
|
|
|
#
|
|
# Allow users to run TCP servers (bind to ports and accept connection from
|
|
# the same domain and outside users) disabling this forces FTP passive mode
|
|
# and may change other protocols.
|
|
#
|
|
user_tcp_server = false
|
|
|
|
#
|
|
# Allow users to run UDP servers (bind to ports and accept connection from
|
|
# the same domain and outside users)
|
|
#
|
|
user_udp_server = false
|
|
|