# # Disable kernel module loading. # secure_mode_insmod = false # # Boolean to determine whether the system permits loading policy, setting # enforcing mode, and changing boolean values. Set this to true and you # have to reboot to set it back. # secure_mode_policyload = false # # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative # user domains. # secure_mode = false # # Control users use of ping and traceroute # user_ping = false # # Allow Apache to modify public files # used for public file transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_anon_write = false # # Allow Apache to use mod_auth_pam # allow_httpd_mod_auth_pam = false # # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = false # # Allow HTTPD scripts and modules to connect to the network using TCP. # httpd_can_network_connect = false # # Allow HTTPD scripts and modules to connect to databases over the network. # httpd_can_network_connect_db = false # # Allow httpd to act as a relay # httpd_can_network_relay = false # # Allow http daemon to send mail # httpd_can_sendmail = false # # Allow Apache to communicate with avahi service via dbus # httpd_dbus_avahi = false # # Allow httpd cgi support # httpd_enable_cgi = false # # Allow httpd to act as a FTP server by # listening on the ftp port. # httpd_enable_ftp_server = false # # Allow httpd to read home directories # httpd_enable_homedirs = false # # Allow httpd daemon to change its resource limits # httpd_setrlimit = false # # Allow HTTPD to run SSI executables in the same domain as system CGI scripts. # httpd_ssi_exec = false # # Unify HTTPD to communicate with the terminal. # Needed for entering the passphrase for certificates at # the terminal. # httpd_tty_comm = false # # Unify HTTPD handling of all content files. # httpd_unified = false # # Allow httpd to access cifs file systems # httpd_use_cifs = false # # Allow httpd to run gpg # httpd_use_gpg = false # # Allow httpd to access nfs file systems # httpd_use_nfs = false # # Allow BIND to write the master zone files. # Generally this is used for dynamic DNS or zone transfers. # named_write_master_zones = false # # Allow cdrecord to read various content. # nfs, samba, removable devices, user temp # and untrusted content files # cdrecord_read_content = false # # Allow clamd to use JIT compiler # clamd_use_jit = false # # Allow Cobbler to modify public files # used for public file transfer services. # cobbler_anon_write = false # # Allow system cron jobs to relabel filesystem # for restoring file contexts. # cron_can_relabel = false # # Enable extra rules in the cron domain # to support fcron. # fcron_crond = false # # Allow cvs daemon to read shadow # allow_cvs_read_shadow = false # # Allow dbadm to manage files in users home directories # dbadm_manage_user_files = false # # Allow dbadm to read files in users home directories # dbadm_read_user_files = false # # Allow DHCP daemon to use LDAP backends # dhcpd_use_ldap = false # # Allow the use of the audio devices as the source for the entropy feeds # entropyd_use_audio = false # # Allow exim to connect to databases (postgres, mysql) # exim_can_connect_db = false # # Allow exim to read unprivileged user files. # exim_read_user_files = false # # Allow exim to create, read, write, and delete # unprivileged user files. # exim_manage_user_files = false # # Allow ftp servers to upload files, used for public file # transfer services. Directories must be labeled # public_content_rw_t. # allow_ftpd_anon_write = false # # Allow ftp servers to login to local users and # read/write all files on the system, governed by DAC. # allow_ftpd_full_access = false # # Allow ftp servers to use cifs # used for public file transfer services. # allow_ftpd_use_cifs = false # # Allow ftp servers to use nfs # used for public file transfer services. # allow_ftpd_use_nfs = false # # Allow ftp to read and write files in the user home directories # ftp_home_dir = false # # Allow anon internal-sftp to upload files, used for # public file transfer services. Directories must be labeled # public_content_rw_t. # sftpd_anon_write = false # # Allow sftp-internal to read and write files # in the user home directories # sftpd_enable_homedirs = false # # Allow sftp-internal to login to local users and # read/write all files on the system, governed by DAC. # sftpd_full_access = false # # Determine whether Git CGI # can search home directories. # git_cgi_enable_homedirs = false # # Determine whether Git CGI # can access cifs file systems. # git_cgi_use_cifs = false # # Determine whether Git CGI # can access nfs file systems. # git_cgi_use_nfs = false # # Determine whether calling user domains # can execute Git daemon in the # git_session_t domain. # git_session_users = false # # Determine whether Git session daemons # can send syslog messages. # git_session_send_syslog_msg = false # # Determine whether Git system daemon # can search home directories. # git_system_enable_homedirs = false # # Determine whether Git system daemon # can access cifs file systems. # git_system_use_cifs = false # # Determine whether Git system daemon # can access nfs file systems. # git_system_use_nfs = false # # Allow usage of the gpg-agent --write-env-file option. # This also allows gpg-agent to manage user files. # gpg_agent_env_file = false # # Allow java executable stack # allow_java_execstack = false # # Allow confined applications to run with kerberos. # allow_kerberos = false # # Use lpd server instead of cups # use_lpd_server = false # # Allow confined web browsers to read home directory content # mozilla_read_content = false # # Allow mplayer executable stack # allow_mplayer_execstack = false # # Allow mysqld to connect to all ports # mysql_connect_any = false # # Allow openvpn to read home directories # openvpn_enable_homedirs = false # # Allow the portage domains to use NFS mounts (regular nfs_t) # portage_use_nfs = false # # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # # Allow pppd to be run for a regular user # pppd_for_user = false # # Allow privoxy to connect to all ports, not just # HTTP, FTP, and Gopher ports. # privoxy_connect_any = false # # Allow Puppet client to manage all file # types. # puppet_manage_all_files = false # # Allow qemu to connect fully to the network # qemu_full_network = false # # Allow qemu to use cifs/Samba file systems # qemu_use_cifs = true # # Allow qemu to use serial/parallel communication ports # qemu_use_comm = false # # Allow qemu to use nfs file systems # qemu_use_nfs = true # # Allow qemu to use usb devices # qemu_use_usb = true # # Allow rgmanager domain to connect to the network using TCP. # rgmanager_can_network_connect = false # # Allow fenced domain to connect to the network using TCP. # fenced_can_network_connect = false # # Allow gssd to read temp directory. For access to kerberos tgt. # allow_gssd_read_tmp = true # # Allow nfs servers to modify public files # used for public file transfer services. Files/Directories must be # labeled public_content_rw_t. # allow_nfsd_anon_write = false # # Allow rsync to export any files/directories read only. # rsync_export_all_ro = false # # Allow rsync to modify public files # used for public file transfer services. Files/Directories must be # labeled public_content_rw_t. # allow_rsync_anon_write = false # # Allow samba to modify public files used for public file # transfer services. Files/Directories must be labeled # public_content_rw_t. # allow_smbd_anon_write = false # # Allow samba to create new home directories (e.g. via PAM) # samba_create_home_dirs = false # # Allow samba to act as the domain controller, add users, # groups and change passwords. # samba_domain_controller = false # # Allow samba to share users home directories. # samba_enable_home_dirs = false # # Allow samba to share any file/directory read only. # samba_export_all_ro = false # # Allow samba to share any file/directory read/write. # samba_export_all_rw = false # # Allow samba to run unconfined scripts # samba_run_unconfined = false # # Allow samba to export NFS volumes. # samba_share_nfs = false # # Allow samba to export ntfs/fusefs volumes. # samba_share_fusefs = false # # Allow confined virtual guests to manage nfs files # sanlock_use_nfs = false # # Allow confined virtual guests to manage cifs files # sanlock_use_samba = false # # Allow sasl to read shadow # allow_saslauthd_read_shadow = false # # Enable additional permissions needed to support # devices on 3ware controllers. # smartmon_3ware = false # # Allow user spamassassin clients to use the network. # spamassassin_can_network = false # # Allow spamd to read/write user home directories. # spamd_enable_home_dirs = true # # Allow squid to connect to all ports, not just # HTTP, FTP, and Gopher ports. # squid_connect_any = false # # Allow squid to run as a transparent proxy (TPROXY) # squid_use_tproxy = false # # Allow the Telepathy connection managers # to connect to any generic TCP port. # telepathy_tcp_connect_generic_network_ports = false # # Allow the Telepathy connection managers # to connect to any network port. # telepathy_connect_all_ports = false # # Allow tftp to modify public files # used for public file transfer services. # tftp_anon_write = false # # Allow tor daemon to bind # tcp sockets to all unreserved ports. # tor_bind_all_unreserved_ports = false # # Allow varnishd to connect to all ports, # not just HTTP. # varnishd_connect_any = false # # Ignore vbetool mmap_zero errors. # vbetool_mmap_zero_ignore = false # # Allow virt to use serial/parallell communication ports # virt_use_comm = false # # Allow virt to read fuse files # virt_use_fusefs = false # # Allow virt to manage nfs files # virt_use_nfs = false # # Allow virt to manage cifs files # virt_use_samba = false # # Allow virt to manage device configuration, (pci) # virt_use_sysfs = false # # Allow virt to use usb devices # virt_use_usb = true # # Allow webadm to manage files in users home directories # webadm_manage_user_files = false # # Allow webadm to read files in users home directories # webadm_read_user_files = false # # Ignore wine mmap_zero errors. # wine_mmap_zero_ignore = false # # Allow xend to run blktapctrl/tapdisk. # Not required if using dedicated logical volumes for disk images. # xend_run_blktap = true # # Allow xend to run qemu-dm. # Not required if using paravirt and no vfb. # xend_run_qemu = true # # Allow xen to manage nfs files # xen_use_nfs = false # # Allow xguest users to mount removable media # xguest_mount_media = true # # Allow xguest to configure Network Manager # xguest_connect_network = true # # Allow xguest to use blue tooth devices # xguest_use_bluetooth = true # # Allow zebra daemon to write it configuration files # allow_zebra_write_config = false # # Control the ability to mmap a low area of the address space, # as configured by /proc/sys/kernel/mmap_min_addr. # mmap_low_allowed = false # # Allow sysadm to debug or ptrace all processes. # allow_ptrace = false # # Allow unprived users to execute DDL statement # sepgsql_enable_users_ddl = true # # Allow transmit client label to foreign database # sepgsql_transmit_client_label = false # # Allow database admins to execute DML statement # sepgsql_unconfined_dbadm = true # # allow host key based authentication # allow_ssh_keysign = false # # Allow ssh logins as sysadm_r:sysadm_t # ssh_sysadm_login = false # # Allows clients to write to the X server shared # memory segments. # allow_write_xshm = false # # Allow xdm logins as sysadm # xdm_sysadm_login = false # # Support X userspace object manager # xserver_object_manager = false # # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server # authlogin_nsswitch_use_ldap = false # # Enable support for upstart as the init program. # init_upstart = false # # Allow racoon to read shadow # racoon_read_shadow = false # # Allow the mount command to mount any directory or file. # allow_mount_anyfile = false # # Allow users to connect to mysql # allow_user_mysql_connect = false # # Allow users to connect to PostgreSQL # allow_user_postgresql_connect = false # # Allow regular users direct mouse access # user_direct_mouse = false # # Allow users to read system messages. # user_dmesg = false # # Allow user to r/w files on filesystems # that do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # # Allow w to display everyone # user_ttyfile_stat = false # # Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla # allow_execheap = false # # Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # allow_execmem = false # # Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") # allow_execmod = false # # Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # allow_execstack = false # # Enable polyinstantiated directory support. # allow_polyinstantiation = false # # Allow system to run with NIS # allow_ypbind = false # # Allow logging in and using the system from /dev/console. # console_login = true # # Enable reading of urandom for all domains. # # # # # This should be enabled when all programs # are compiled with ProPolice/SSP # stack smashing protection. All domains will # be allowed to read from /dev/urandom. # global_ssp = false # # Allow email client to various content. # nfs, samba, removable devices, and user temp # files # mail_read_content = false # # Allow any files/directories to be exported read/write via NFS. # nfs_export_all_rw = false # # Allow any files/directories to be exported read/only via NFS. # nfs_export_all_ro = false # # Support NFS home directories # use_nfs_home_dirs = false # # Support SAMBA home directories # use_samba_home_dirs = false # # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols. # user_tcp_server = false