# # Disable kernel module loading. # secure_mode_insmod = false # # Boolean to determine whether the system permits loading policy, and setting # enforcing mode. Set this to true and you have to reboot to set it back. # secure_mode_policyload = false # # Boolean to determine whether the system permits setting Booelan values. # secure_mode_setbool = false # # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative # user domains. # secure_mode = false # # Control if AIDE can mmap files. # AIDE can be compiled with the option 'with-mmap' in which case it will # attempt to mmap files while running. # aide_mmap_files = false # # Grant the firstboot domains read access to generic user content # firstboot_read_generic_user_content = true # # Grant the firstboot domains read access to all user content # firstboot_read_all_user_content = false # # Grant the firstboot domains manage rights on generic user content # firstboot_manage_generic_user_content = false # # Grant the firstboot domains manage rights on all user content # firstboot_manage_all_user_content = false # # Determine whether logrotate can manage # audit log files # logrotate_manage_audit_log = false # # Determine whether logwatch can connect # to mail over the network. # logwatch_can_network_connect_mail = false # # Determine whether mcelog supports # client mode. # mcelog_client = false # # Determine whether mcelog can execute scripts. # mcelog_exec_scripts = true # # Determine whether mcelog can use all # the user ttys. # mcelog_foreground = false # # Determine whether mcelog supports # server mode. # mcelog_server = false # # Determine whether mcelog can use syslog. # mcelog_syslog = false # # Control users use of ping and traceroute # user_ping = false # # Determine whether portage can # use nfs filesystems. # portage_use_nfs = false # # Determine whether portage domains can read user content. # This is for non-portage_t domains as portage_t can manage the entire file system. # portage_read_user_content = false # # Determine whether portage can mount file systems (used to mount /boot for instance). # portage_mount_fs = false # # Extra rules which are sometimes needed when FEATURES=test is enabled # portage_enable_test = false # # Determine whether puppet can # manage all non-security files. # puppet_manage_all_files = false # # Determine whether rkhunter can connect # to http ports. This is required by the # --update option. # rkhunter_connect_http = false # # Determine whether the user application exec # domain attribute should be respected for # shutdown access. If not enabled, only user # domains themselves may use shutdown. # shutdown_allow_user_exec_domains = false # # Determine whether the user application # exec domain attribute should be respected # for su access. If not enabled, only user # domains themselves may use su. # su_allow_user_exec_domains = false # # Determine whether all sudo domains # can connect to TCP HTTP ports. This # is needed if an additional authentication # mechanism via an HTTP server is # required for users to use sudo. # sudo_all_tcp_connect_http_port = false # # Determine whether the user application exec # domain attribute should be respected for sudo # access. If not enabled, only user domains # themselves may use sudo. # sudo_allow_user_exec_domains = false # # Determine whether authorized users can control the daemon, # which requires usbguard-daemon to be able modify its rules in # /etc/usbguard. # usbguard_user_modify_rule_files = false # # Determine whether attempts by # vbetool to mmap low regions should # be silently blocked. # vbetool_mmap_zero_ignore = false # # Determine whether awstats can # purge httpd log files. # awstats_purge_apache_log_files = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_awstats_script_anon_write = false # # Determine whether cdrecord can read # various content. nfs, samba, removable # devices, user temp and untrusted # content files # cdrecord_read_content = false # # Allow chromium to access direct rendering interface # # # # # Needed for good performance on complex sites # chromium_dri = true # # Allow chromium to read system information # # # # # Although not needed for regular browsing, this will allow chromium to update # its own memory consumption based on system state, support additional # debugging, detect specific devices, etc. # chromium_read_system_info = false # # Allow chromium to bind to tcp ports # # # # # Although not needed for regular browsing, some chrome extensions need to # bind to tcp ports and accept connections. # chromium_bind_tcp_unreserved_ports = false # # Allow chromium to read/write USB devices # # # # # Although not needed for regular browsing, used for debugging over usb # or using FIDO U2F tokens. # chromium_rw_usb_dev = false # # Grant the chromium domains read access to generic user content # chromium_read_generic_user_content = true # # Grant the chromium domains read access to all user content # chromium_read_all_user_content = false # # Grant the chromium domains manage rights on generic user content # chromium_manage_generic_user_content = false # # Grant the chromium domains manage rights on all user content # chromium_manage_all_user_content = false # # Grant the cryfs domains read access to generic user content # cryfs_read_generic_user_content = true # # Grant the cryfs domains read access to all user content # cryfs_read_all_user_content = false # # Grant the cryfs domains manage rights on generic user content # cryfs_manage_generic_user_content = false # # Grant the cryfs domains manage rights on all user content # cryfs_manage_all_user_content = false # # Allow evolution to create and write # user certificates in addition to # being able to read them # evolution_manage_user_certs = false # # Grant the evolution domains read access to generic user content # evolution_read_generic_user_content = true # # Grant the evolution domains read access to all user content # evolution_read_all_user_content = false # # Grant the evolution domains manage rights on generic user content # evolution_manage_generic_user_content = false # # Grant the evolution domains manage rights on all user content # evolution_manage_all_user_content = false # # Determine whether Gitosis can send mail. # gitosis_can_sendmail = false # # Determine whether GPG agent can manage # generic user home content files. This is # required by the --write-env-file option. # gpg_agent_env_file = false # # Determine whether GPG agent can use OpenPGP # cards or Yubikeys over USB # gpg_agent_use_card = false # # Grant the gpg domains read access to generic user content # gpg_read_generic_user_content = true # # Grant the gpg domains read access to all user content # gpg_read_all_user_content = false # # Grant the gpg domains manage rights on generic user content # gpg_manage_generic_user_content = false # # Grant the gpg domains manage rights on all user content # gpg_manage_all_user_content = false # # Determine whether irc clients can # listen on and connect to any # unreserved TCP ports. # irc_use_any_tcp_ports = false # # Grant the irc domains read access to generic user content # irc_read_generic_user_content = true # # Grant the irc domains read access to all user content # irc_read_all_user_content = false # # Grant the irc domains manage rights on generic user content # irc_manage_generic_user_content = false # # Grant the irc domains manage rights on all user content # irc_manage_all_user_content = false # # Determine whether java can make # its stack executable. # allow_java_execstack = false # # Grant the java domains read access to generic user content # java_read_generic_user_content = true # # Grant the java domains read access to all user content # java_read_all_user_content = false # # Grant the java domains manage rights on generic user content # java_manage_generic_user_content = false # # Grant the java domains manage rights on all user content # java_manage_all_user_content = false # # Determine whether libmtp can read # and manage the user home directories # and files. # libmtp_enable_home_dirs = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_lightsquid_script_anon_write = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_man2html_script_anon_write = false # # Determine whether mozilla can # make its stack executable. # mozilla_execstack = false # # Grant the mozilla domains read access to generic user content # mozilla_read_generic_user_content = true # # Grant the mozilla domains read access to all user content # mozilla_read_all_user_content = false # # Grant the mozilla domains manage rights on generic user content # mozilla_manage_generic_user_content = false # # Grant the mozilla domains manage rights on all user content # mozilla_manage_all_user_content = false # # Determine whether mozilla firefox can bind TCP sockets to all # unreserved ports (for instance used with various Proxy # management extensions). # mozilla_bind_all_unreserved_ports = false # # Determine whether mozilla firefox plugins can connect to # unreserved ports (for instance when dealing with Google Talk) # mozilla_plugin_connect_all_unreserved = false # # Determine whether mplayer can make # its stack executable. # allow_mplayer_execstack = false # # Grant the mplayer_mencoder domains read access to generic user content # mplayer_mencoder_read_generic_user_content = true # # Grant the mplayer_mencoder domains read access to all user content # mplayer_mencoder_read_all_user_content = false # # Grant the mplayer_mencoder domains manage rights on generic user content # mplayer_mencoder_manage_generic_user_content = false # # Grant the mplayer_mencoder domains manage rights on all user content # mplayer_mencoder_manage_all_user_content = false # # Grant the mplayer domains read access to generic user content # mplayer_read_generic_user_content = true # # Grant the mplayer domains read access to all user content # mplayer_read_all_user_content = false # # Grant the mplayer domains manage rights on generic user content # mplayer_manage_generic_user_content = false # # Grant the mplayer domains manage rights on all user content # mplayer_manage_all_user_content = false # # Determine whether openoffice can # download software updates from the # network (application and/or # extensions). # openoffice_allow_update = true # # Determine whether openoffice writer # can send emails directly (print to # email). This is different from the # functionality of sending emails # through external clients which is # always enabled. # openoffice_allow_email = false # # Grant the openoffice domains read access to generic user content # openoffice_read_generic_user_content = true # # Grant the openoffice domains read access to all user content # openoffice_read_all_user_content = false # # Grant the openoffice domains manage rights on generic user content # openoffice_manage_generic_user_content = false # # Grant the openoffice domains manage rights on all user content # openoffice_manage_all_user_content = false # # Allow pulseaudio to execute code in # writable memory # pulseaudio_execmem = false # # Determine whether pulseaudio # can use the network. # pulseaudio_can_network = false # # Determine whether qemu has full # access to the network. # qemu_full_network = false # # Grant the syncthing domains read access to generic user content # syncthing_read_generic_user_content = true # # Grant the syncthing domains read access to all user content # syncthing_read_all_user_content = false # # Grant the syncthing domains manage rights on generic user content # syncthing_manage_generic_user_content = false # # Grant the syncthing domains manage rights on all user content # syncthing_manage_all_user_content = false # # Determine whether telepathy connection # managers can connect to generic tcp ports. # telepathy_tcp_connect_generic_network_ports = false # # Determine whether telepathy connection # managers can connect to any port. # telepathy_connect_all_ports = false # # Grant the thunderbird domains read access to generic user content # thunderbird_read_generic_user_content = true # # Grant the thunderbird domains read access to all user content # thunderbird_read_all_user_content = false # # Grant the thunderbird domains manage rights on generic user content # thunderbird_manage_generic_user_content = false # # Grant the thunderbird domains manage rights on all user content # thunderbird_manage_all_user_content = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_webalizer_script_anon_write = false # # Determine whether attempts by # wine to mmap low regions should # be silently blocked. # wine_mmap_zero_ignore = false # # Grant the wireshark domains read access to generic user content # wireshark_read_generic_user_content = true # # Grant the wireshark domains read access to all user content # wireshark_read_all_user_content = false # # Grant the wireshark domains manage rights on generic user content # wireshark_manage_generic_user_content = false # # Grant the wireshark domains manage rights on all user content # wireshark_manage_all_user_content = false # # Grant the xscreensaver domains read access to generic user content # xscreensaver_read_generic_user_content = true # # Determine whether the bitcoin daemon can bind # to all unreserved ports or not. # bitcoin_bind_all_unreserved_ports = false # # Determine whether dropbox can bind to # local tcp and udp ports. # Required for Dropbox' LAN Sync feature # dropbox_bind_port = false # # Grant the dropbox domains read access to generic user content # dropbox_read_generic_user_content = true # # Grant the dropbox domains read access to all user content # dropbox_read_all_user_content = false # # Grant the dropbox domains manage rights on generic user content # dropbox_manage_generic_user_content = false # # Grant the dropbox domains manage rights on all user content # dropbox_manage_all_user_content = false # # Allow KDEConnect to read user home files # kdeconnect_read_user_files = true # # Allow links to manage files in users home directories (download files) # links_manage_user_files = false # # Grant the mutt domains read access to generic user content # mutt_read_generic_user_content = true # # Grant the mutt domains read access to all user content # mutt_read_all_user_content = false # # Grant the mutt domains manage rights on generic user content # mutt_manage_generic_user_content = false # # Grant the mutt domains manage rights on all user content # mutt_manage_all_user_content = false # # Allow nginx to serve HTTP content (act as an http server) # nginx_enable_http_server = false # # Allow nginx to act as an imap proxy server) # nginx_enable_imap_server = false # # Allow nginx to act as a pop3 server) # nginx_enable_pop3_server = false # # Allow nginx to act as an smtp server) # nginx_enable_smtp_server = false # # Allow nginx to connect to remote HTTP servers # nginx_can_network_connect_http = false # # Allow nginx to connect to remote servers (regardless of protocol) # nginx_can_network_connect = false # # Be able to manage user files (needed to support sending and downloading # attachments). Without this boolean set, only files marked as pan_home_t # can be used for sending and receiving. # pan_manage_user_content = false # # Allow phpfpm to use LDAP services # phpfpm_use_ldap = false # # Allow phpfpm to send syslog messages # phpfpm_send_syslog_msg = false # # Allow phpfpm to execute shells. This # is needed by some webapps. # phpfpm_exec_shell = false # # Allow phpfpm to connect to http ports. # phpfpm_connect_http = false # # Allow phpfpm to connect to pop ports. # phpfpm_connect_pop = false # # Allow phpfpm to connect to redis ports. # phpfpm_connect_redis = false # # Allow phpfpm to connect to sieve ports. # phpfpm_connect_sieve = false # # Allow phpfpm to connect to smtp ports. # phpfpm_connect_smtp = false # # Allow rtorrent to use dht. # The correspondig port must be rtorrent_udp_port_t. # rtorrent_use_dht = true # # Allow rtorrent to use rsync, for example in a hook. # rtorrent_use_rsync = false # # Determine wether the salt master can read NFS files # salt_master_read_nfs = false # # Determine wether the salt minion can manage NFS files # salt_minion_manage_nfs = false # # Be able to manage user files (needed to support sending and receiving files). # Without this boolean set, only files marked as skype_home_t can be used for # sending and receiving. # skype_manage_user_content = false # # Control the ability to mmap a low area of the address space, # as configured by /proc/sys/kernel/mmap_min_addr. # mmap_low_allowed = false # # Determine whether dbadm can manage # generic user files. # dbadm_manage_user_files = false # # Determine whether dbadm can read # generic user files. # dbadm_read_user_files = false # # Determine whether guest can # configure network manager. # guest_connect_network = false # # Determine whether webadm can # manage generic user files. # webadm_manage_user_files = false # # Determine whether webadm can # read generic user files. # webadm_read_user_files = false # # Determine whether xguest can # mount removable media. # xguest_mount_media = false # # Determine whether xguest can # configure network manager. # xguest_connect_network = false # # Determine whether xguest can # use blue tooth devices. # xguest_use_bluetooth = false # # Determine whether ABRT can modify # public files used for public file # transfer services. # abrt_anon_write = false # # Determine whether abrt-handle-upload # can modify public files used for public file # transfer services in /var/spool/abrt-upload/. # abrt_upload_watch_anon_write = true # # Determine whether ABRT can run in # the abrt_handle_event_t domain to # handle ABRT event scripts. # abrt_handle_event = false # # Determine whether amavis can # use JIT compiler. # amavis_use_jit = false # # Determine whether httpd can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_anon_write = false # # Determine whether httpd can use mod_auth_pam. # allow_httpd_mod_auth_pam = false # # Determine whether httpd can use built in scripting. # httpd_builtin_scripting = false # # Determine whether httpd can check spam. # httpd_can_check_spam = false # # Determine whether httpd scripts and modules # can connect to the network using TCP. # httpd_can_network_connect = false # # Determine whether httpd scripts and modules # can connect to cobbler over the network. # httpd_can_network_connect_cobbler = false # # Determine whether scripts and modules can # connect to databases over the network. # httpd_can_network_connect_db = false # # Determine whether httpd can connect to # ldap over the network. # httpd_can_network_connect_ldap = false # # Determine whether httpd can connect # to memcache server over the network. # httpd_can_network_connect_memcache = false # # Determine whether httpd can act as a relay. # httpd_can_network_relay = false # # Determine whether httpd daemon can # connect to zabbix over the network. # httpd_can_network_connect_zabbix = false # # Determine whether httpd can send mail. # httpd_can_sendmail = false # # Determine whether httpd can communicate # with avahi service via dbus. # httpd_dbus_avahi = false # # Determine whether httpd can use support. # httpd_enable_cgi = false # # Determine whether httpd can act as a # FTP server by listening on the ftp port. # httpd_enable_ftp_server = false # # Determine whether httpd can traverse # user home directories. # httpd_enable_homedirs = false # # Determine whether httpd gpg can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # httpd_gpg_anon_write = false # # Determine whether httpd can execute # its temporary content. # httpd_tmp_exec = false # # Determine whether httpd scripts and # modules can use execmem and execstack. # httpd_execmem = false # # Determine whether httpd can connect # to port 80 for graceful shutdown. # httpd_graceful_shutdown = false # # Determine whether httpd can # manage IPA content files. # httpd_manage_ipa = false # # Determine whether httpd can use mod_auth_ntlm_winbind. # httpd_mod_auth_ntlm_winbind = false # # Determine whether httpd can read # generic user home content files. # httpd_read_user_content = false # # Determine whether httpd can change # its resource limits. # httpd_setrlimit = false # # Determine whether httpd can run # SSI executables in the same domain # as system CGI scripts. # httpd_ssi_exec = false # # Determine whether httpd can communicate # with the terminal. Needed for entering the # passphrase for certificates at the terminal. # httpd_tty_comm = false # # Determine whether httpd can have full access # to its content types. # httpd_unified = false # # Determine whether httpd can use # cifs file systems. # httpd_use_cifs = false # # Determine whether httpd can # use fuse file systems. # httpd_use_fusefs = false # # Determine whether httpd can use gpg. # httpd_use_gpg = false # # Determine whether httpd can use # nfs file systems. # httpd_use_nfs = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_sys_script_anon_write = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_user_script_anon_write = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_unconfined_script_anon_write = false # # Enable specific permissions for the Hiawatha web server # hiawatha_httpd = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_apcupsd_cgi_script_anon_write = false # # Determine whether Bind can bind tcp socket to http ports. # named_tcp_bind_http_port = false # # Determine whether Bind can write to master zone files. # Generally this is used for dynamic DNS or zone transfers. # named_write_master_zones = false # # Determine whether boinc can execmem/execstack. # boinc_execmem = true # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_bugzilla_script_anon_write = false # # Determine whether additional rules # should be enabled to support acme.sh # certbot_acmesh = false # # Determine whether chronyd can access NIC hardware # timestamping features # chronyd_hwtimestamp = false # # Determine whether clamscan can # read user content files. # clamav_read_user_content_files_clamscan = false # # Determine whether clamscan can read # all non-security files. # clamav_read_all_non_security_files_clamscan = false # # Determine whether can clamd use JIT compiler. # clamd_use_jit = false # # Determine whether Cobbler can modify # public files used for public file # transfer services. # cobbler_anon_write = false # # Determine whether Cobbler can connect # to the network using TCP. # cobbler_can_network_connect = false # # Determine whether Cobbler can access # cifs file systems. # cobbler_use_cifs = false # # Determine whether Cobbler can access # nfs file systems. # cobbler_use_nfs = false # # Determine whether collectd can connect # to the network using TCP. # collectd_tcp_network_connect = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_collectd_script_anon_write = false # # Determine whether Condor can connect # to the network using TCP. # condor_tcp_network_connect = false # # Allow containers to manage cgroups. # This is required for systemd to run inside # containers. # container_manage_cgroup = false # # Allow container engines to mount on all non-security files. # container_mounton_non_security = false # # Allow containers to manage all read-writable public content. # container_manage_public_content = false # # Allow containers to read all public content. # container_read_public_content = false # # Allow super privileged containers to create NFS servers. # container_spc_create_nfs_servers = false # # Allow super privileged containers to use tun-tap devices. # container_spc_use_tun_tap_dev = false # # Allow containers to use direct rendering devices. # container_use_dri = false # # Allow containers to use eCryptfs filesystems. # container_use_ecryptfs = false # # Allow containers to use all capabilities in a # non-namespaced context for various privileged operations # directly on the host. # container_use_host_all_caps = false # # Allow containers to use huge pages. # container_use_hugetlbfs = false # # Allow containers to use the mknod syscall, e.g. for # creating special device files. # container_use_mknod = false # # Allow containers to use NFS filesystems. # container_use_nfs = false # # Allow containers to use CIFS filesystems. # container_use_samba = false # # Allow containers to use the sysadmin capability, e.g. # for mounting filesystems. # container_use_sysadmin = false # # Allow containers to use all capabilities in a # namespaced context for various privileged operations # within the container itself. # container_use_userns_all_caps = false # # Allow containers to use the mknod syscall in a # namespaced context, e.g. for creating special device # files within the container itself. # container_use_userns_mknod = false # # Allow containers to use the sysadmin capability in a # namespaced context, e.g. for mounting filesystems # within the container itself. # container_use_userns_sysadmin = false # # Determine whether system cron jobs # can relabel filesystem for # restoring file contexts. # cron_can_relabel = false # # Determine whether crond can execute jobs # in the user domain as opposed to the # the generic cronjob domain. # cron_userdomain_transition = false # # Determine whether extra rules # should be enabled to support fcron. # fcron_crond = false # # Grant the cron domains read access to generic user content # cron_read_generic_user_content = true # # Grant the cron domains read access to all user content # cron_read_all_user_content = false # # Grant the cron domains manage rights on generic user content # cron_manage_generic_user_content = false # # Grant the cron domains manage rights on all user content # cron_manage_all_user_content = false # # Determine whether cvs can read shadow # password files. # allow_cvs_read_shadow = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_cvs_script_anon_write = false # # Determine whether the dbus server # can use the network (insecure # except than in the case of the # loopback interface). # dbus_can_network = false # # Allow dbus-daemon system bus to access /dev/net/tun # which is needed to pass tun/tap device file descriptors # over D-Bus. This is needed by openvpn3-linux. # dbus_pass_tuntap_fd = false # # Allow dbus-daemon system bus to to run systemd transient # units. This is used by dbus-broker for dbus-activated # services when the unit file for the service does not exist. # dbus_broker_run_transient_units = false # # Enable additional rules to support using dbus-broker # as the dbus-daemon system bus. # dbus_broker_system_bus = false # # Determine whether DHCP daemon # can use LDAP backends. # dhcpd_use_ldap = false # # Determine whether dovecot can connect to # databases. # dovecot_can_connect_db = false # # Determine whether entropyd can use # audio devices as the source for # the entropy feeds. # entropyd_use_audio = false # # Determine whether exim can connect to # databases. # exim_can_connect_db = false # # Determine whether exim can read generic # user content files. # exim_read_user_files = false # # Determine whether exim can create, # read, write, and delete generic user # content files. # exim_manage_user_files = false # # Determine whether ftpd can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_ftpd_anon_write = false # # Determine whether ftpd can login to # local users and can read and write # all files on the system, governed by DAC. # allow_ftpd_full_access = false # # Determine whether ftpd can use CIFS # used for public file transfer services. # allow_ftpd_use_cifs = false # # Determine whether ftpd can use NFS # used for public file transfer services. # allow_ftpd_use_nfs = false # # Determine whether ftpd can connect to # databases over the TCP network. # ftpd_connect_db = false # # Determine whether ftpd can bind to all # unreserved ports for passive mode. # ftpd_use_passive_mode = false # # Determine whether ftpd can connect to # all unreserved ports. # ftpd_connect_all_unreserved = false # # Determine whether ftpd can read and write # files in user home directories. # ftp_home_dir = false # # Determine whether sftpd can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # sftpd_anon_write = false # # Determine whether sftpd-can read and write # files in user home directories. # sftpd_enable_homedirs = false # # Determine whether sftpd-can login to # local users and read and write all # files on the system, governed by DAC. # sftpd_full_access = false # # Determine whether sftpd can read and write # files in user ssh home directories. # sftpd_write_ssh_home = false # # Determine whether Git CGI # can search home directories. # git_cgi_enable_homedirs = false # # Determine whether Git CGI # can access cifs file systems. # git_cgi_use_cifs = false # # Determine whether Git CGI # can access nfs file systems. # git_cgi_use_nfs = false # # Determine whether Git session daemon # can bind TCP sockets to all # unreserved ports. # git_session_bind_all_unreserved_ports = false # # Determine whether calling user domains # can execute Git daemon in the # git_session_t domain. # git_session_users = false # # Determine whether Git session daemons # can send syslog messages. # git_session_send_syslog_msg = false # # Determine whether Git system daemon # can search home directories. # git_system_enable_homedirs = false # # Determine whether Git system daemon # can access cifs file systems. # git_system_use_cifs = false # # Determine whether Git system daemon # can access nfs file systems. # git_system_use_nfs = false # # Determine whether Git client domains # can manage all user home content, # including application-specific data. # git_client_manage_all_user_home_content = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_git_script_anon_write = false # # Allow the gluster daemon to automatically # add and remove file contexts from the local # SELinux policy when adding and removing # bricks. # glusterfs_modify_policy = false # # Grant the i18n_input domains read access to generic user content # i18n_input_read_generic_user_content = true # # Determine whether icecast can listen # on and connect to any TCP port. # icecast_use_any_tcp_ports = false # # Determine whether kerberos is supported. # allow_kerberos = false # # Determine whether to support lpd server. # use_lpd_server = false # # Determine whether Matrixd is allowed to federate # (bind all UDP ports and connect to all TCP ports). # matrix_allow_federation = true # # Determine whether Matrixd can connect to the Postgres database. # matrix_postgresql_connect = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_mediawiki_script_anon_write = false # # Determine whether minidlna can read generic user content. # minidlna_read_generic_user_content = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_mojomojo_script_anon_write = false # # Allow monit to start/stop services # monit_startstop_services = false # # Determine whether mpd can traverse # user home directories. # mpd_enable_homedirs = false # # Determine whether mpd can use # cifs file systems. # mpd_use_cifs = false # # Determine whether mpd can use # nfs file systems. # mpd_use_nfs = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_munin_script_anon_write = false # # Determine whether mysqld can # connect to all TCP ports. # mysql_connect_any = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_nagios_script_anon_write = false # # Determine whether confined applications # can use nscd shared memory. # nscd_use_shm = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_nutups_cgi_script_anon_write = false # # Determine whether obfs4proxy can bind # tcp sockets to all unreserved ports. # obfs4proxy_bind_all_unreserved_ports = false # # Determine whether obfs4proxy can bind # tcp sockets to all http ports. # obfs4proxy_bind_http_ports = false # # Determine whether openvpn can # read generic user home content files. # openvpn_enable_homedirs = false # # Determine whether openvpn can # connect to the TCP network. # openvpn_can_network_connect = false # # Allow pacemaker to start/stop services # pacemaker_startstop_all_services = false # # Determine whether postfix local # can manage mail spool content. # postfix_local_write_mail_spool = true # # Grant the postfix domains read access to generic user content # postfix_read_generic_user_content = true # # Grant the postfix domains read access to all user content # postfix_read_all_user_content = false # # Grant the postfix domains manage rights on generic user content # postfix_manage_generic_user_content = false # # Grant the postfix domains manage rights on all user content # postfix_manage_all_user_content = false # # Allow unprived users to execute DDL statement # sepgsql_enable_users_ddl = false # # Allow transmit client label to foreign database # sepgsql_transmit_client_label = false # # Allow database admins to execute DML statement # sepgsql_unconfined_dbadm = false # # Determine whether pppd can # load kernel modules. # pppd_can_insmod = false # # Determine whether common users can # run pppd with a domain transition. # pppd_for_user = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_prewikka_script_anon_write = false # # Determine whether privoxy can # connect to all tcp ports. # privoxy_connect_any = false # # Determine whether gssd can read # generic user temporary content. # allow_gssd_read_tmp = false # # Determine whether gssd can write # generic user temporary content. # allow_gssd_write_tmp = false # # Determine whether nfs can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_nfsd_anon_write = false # # Determine whether rsync can use # cifs file systems. # rsync_use_cifs = false # # Determine whether rsync can # use fuse file systems. # rsync_use_fusefs = false # # Determine whether rsync can use # nfs file systems. # rsync_use_nfs = false # # Determine whether rsync can # run as a client # rsync_client = false # # Determine whether rsync can # export all content read only. # rsync_export_all_ro = false # # Determine whether rsync can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_rsync_anon_write = false # # Determine whether smbd_t can # read shadow files. # samba_read_shadow = false # # Determine whether samba can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_smbd_anon_write = false # # Determine whether samba can # create home directories via pam. # samba_create_home_dirs = false # # Determine whether samba can act as the # domain controller, add users, groups # and change passwords. # samba_domain_controller = false # # Determine whether samba can # act as a portmapper. # samba_portmapper = false # # Determine whether samba can share # users home directories. # samba_enable_home_dirs = false # # Determine whether samba can share # any content read only. # samba_export_all_ro = false # # Determine whether samba can share any # content readable and writable. # samba_export_all_rw = false # # Determine whether samba can # run unconfined scripts. # samba_run_unconfined = false # # Determine whether samba can # use nfs file systems. # samba_share_nfs = false # # Determine whether samba can # use fuse file systems. # samba_share_fusefs = false # # Determine whether sanlock can use # nfs file systems. # sanlock_use_nfs = false # # Determine whether sanlock can use # cifs file systems. # sanlock_use_samba = false # # Determine whether sasl can # read shadow files. # allow_saslauthd_read_shadow = false # # Determine whether smartmon can support # devices on 3ware controllers. # smartmon_3ware = false # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_smokeping_cgi_script_anon_write = false # # Determine whether spamassassin # daemon or clients can use the # network. # spamassassin_can_network = false # # Determine whether spamd can manage # generic user home content. # spamd_enable_home_dirs = false # # Determine whether spamassassin # can update the rules using the # network. # spamassassin_network_update = true # # Determine whether extra rules should # be enabled to support rspamd. # rspamd_spamd = false # # Determine whether execmem should be allowed # Needed if LUA JIT is enabled for rspamd # spamd_execmem = false # # Determine whether squid can # connect to all TCP ports. # squid_connect_any = false # # Determine whether squid can run # as a transparent proxy. # squid_use_tproxy = false # # Determine whether squid can use the # pinger daemon (needs raw net access) # squid_use_pinger = true # # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # allow_httpd_squid_script_anon_write = false # # allow host key based authentication # allow_ssh_keysign = false # # Allow ssh logins as sysadm_r:sysadm_t # ssh_sysadm_login = false # # Allow ssh to use gpg-agent # ssh_use_gpg_agent = false # # Determine whether tftp can modify # public files used for public file # transfer services. Directories/Files must # be labeled public_content_rw_t. # tftp_anon_write = false # # Determine whether tftp can manage # generic user home content. # tftp_enable_homedir = false # # Determine whether tor can bind # tcp sockets to all unreserved ports. # tor_bind_all_unreserved_ports = false # # Determine whether varnishd can # use the full TCP network. # varnishd_connect_any = false # # Determine whether confined virtual guests # can use serial/parallel communication ports. # virt_use_comm = false # # Determine whether confined virtual guests # can use executable memory and can make # their stack executable. # virt_use_execmem = false # # Determine whether confined virtual guests # can use fuse file systems. # virt_use_fusefs = false # # Determine whether confined virtual guests # can use nfs file systems. # virt_use_nfs = false # # Determine whether confined virtual guests # can use cifs file systems. # virt_use_samba = false # # Determine whether confined virtual guests # can manage device configuration. # virt_use_sysfs = false # # Determine whether confined virtual guests # can use usb devices. # virt_use_usb = false # # Determine whether confined virtual guests # can interact with xserver. # virt_use_xserver = false # # Determine whether confined virtual guests # can use vfio for pci device pass through (vt-d). # virt_use_vfio = false # # Determine whether confined virtual guests # can use input devices via evdev pass through. # virt_use_evdev = false # # Allows the X server to use TCP/IP # networking functionality (insecure). # xserver_can_network = false # # Allows the X display manager to use # TCP/IP networking functionality (insecure). # xserver_xdm_can_network = false # # Allow xdm logins as sysadm # xdm_sysadm_login = false # # Allows clients to write to the X server shared # memory segments. # allow_write_xshm = false # # Allows clients to write to the X server tmpfs # files. # xserver_client_writes_xserver_tmpfs = false # # Use gnome-shell in gdm mode as the # X Display Manager (XDM) # xserver_gnome_xdm = false # # Support X userspace object manager # xserver_object_manager = false # # Allow DRI access # xserver_allow_dri = false # # Determine whether zabbix can # connect to all TCP ports # zabbix_can_network = false # # Determine whether zebra daemon can # manage its configuration files. # allow_zebra_write_config = false # # Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. # authlogin_pam = true # # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server # authlogin_nsswitch_use_ldap = false # # Enable support for upstart as the init program. # init_upstart = false # # Enable systemd to create mountpoints. # init_create_mountpoints = false # # Allow all daemons the ability to read/write terminals # init_daemons_use_tty = false # # Enable systemd to mount on all non-security files. # init_mounton_non_security = false # # Allow racoon to read shadow # racoon_read_shadow = false # # Allows syslogd internet domain sockets # functionality (dangerous). # logging_syslog_can_network = false # # Allow the mount command to mount any directory or file. # allow_mount_anyfile = false # # Determine whether DHCP client # can manage samba # dhcpc_manage_samba = false # # Enable support for systemd-tmpfiles to manage all non-security files. # systemd_tmpfiles_manage_all = false # # Allow systemd-networkd to run its DHCPd server component # systemd_networkd_dhcp_server = false # # Allow systemd-nspawn to create a labelled namespace with the same types # as parent environment # systemd_nspawn_labeled_namespace = false # # Allow systemd-logind to interact with the bootloader (read which one is # installed on fixed disks, enumerate entries for dbus property # BootLoaderEntries, etc.) # systemd_logind_get_bootloader = false # # Allow systemd-socket-proxyd to bind any port instead of one labelled # with systemd_socket_proxyd_port_t. # systemd_socket_proxyd_bind_any = false # # Allow systemd-socket-proxyd to connect to any port instead of # labelled ones. # systemd_socket_proxyd_connect_any = false # # Determine whether tmpfiles can manage # all non-security sensitive resources. # Without this, it is only allowed rights towards # /run, /tmp, /dev and /var/lock. # tmpfiles_manage_all_non_security = true # # Allow users to connect to mysql # allow_user_mysql_connect = false # # Allow users to connect to PostgreSQL # allow_user_postgresql_connect = false # # Allow all users to send syslog messages # user_all_users_send_syslog = true # # Allow regular users direct mouse access # user_direct_mouse = false # # Allow users to read system messages. # user_dmesg = false # # Allow user to r/w files on filesystems # that do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # # Allow user to execute files on filesystems # that do not have extended attributes (FAT, CDROM, FLOPPY) # user_exec_noexattrfile = false # # Allow user to write files on removable # devices (e.g. external USB memory # devices or floppies) # user_write_removable = false # # Allow w to display everyone # user_ttyfile_stat = false # # Determine whether xend can # run blktapctrl and tapdisk. # xend_run_blktap = false # # Determine whether xen can # use fusefs file systems. # xen_use_fusefs = false # # Determine whether xen can # use nfs file systems. # xen_use_nfs = false # # Determine whether xen can # use samba file systems. # xen_use_samba = false # # Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla # allow_execheap = false # # Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # allow_execmem = false # # Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") # allow_execmod = false # # Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # allow_execstack = false # # Allow raw memory device (/dev/mem, /dev/kmem, /dev/mergemem, # dev/oldmem, /dev/port) access for confined executables. This is # extremely dangerous as it can bypass the SELinux protections, and # should only be used by trusted domains. # allow_raw_memory_access = false # # Enable polyinstantiated directory support. # allow_polyinstantiation = false # # Allow system to run with NIS # allow_ypbind = false # # Allow logging in and using the system from /dev/console. # console_login = true # # Enable reading of urandom for all domains. # # # # # This should be enabled when all programs # are compiled with ProPolice/SSP # stack smashing protection. All domains will # be allowed to read from /dev/urandom. # global_ssp = false # # Allow email client to various content. # nfs, samba, removable devices, and user temp # files # mail_read_content = false # # Allow any files/directories to be exported read/write via NFS. # nfs_export_all_rw = false # # Allow any files/directories to be exported read/only via NFS. # nfs_export_all_ro = false # # Support NFS home directories # use_nfs_home_dirs = false # # Support SAMBA home directories # use_samba_home_dirs = false # # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols. # user_tcp_server = false # # Allow users to run UDP servers (bind to ports and accept connection from # the same domain and outside users) # user_udp_server = false # # Allow mozilla to read generic user content (i.e. content that is not specific to an application). # mozilla_read_generic_user_content = true # # Allow mozilla to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # mozilla_read_all_user_content = false # # Allow mozilla to manage generic user content (i.e. content that is not specific to an application). # mozilla_manage_generic_user_content = false # # Allow mozilla to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # mozilla_manage_all_user_content = false # # Allow chromium to read generic user content (i.e. content that is not specific to an application). # chromium_read_generic_user_content = true # # Allow chromium to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # chromium_read_all_user_content = false # # Allow chromium to manage generic user content (i.e. content that is not specific to an application). # chromium_manage_generic_user_content = false # # Allow chromium to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # chromium_manage_all_user_content = false # # Allow mutt to read generic user content (i.e. content that is not specific to an application). # mutt_read_generic_user_content = true # # Allow mutt to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # mutt_read_all_user_content = false # # Allow mutt to manage generic user content (i.e. content that is not specific to an application). # mutt_manage_generic_user_content = false # # Allow mutt to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # mutt_manage_all_user_content = false # # Allow thunderbird to read generic user content (i.e. content that is not specific to an application). # thunderbird_read_generic_user_content = true # # Allow thunderbird to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # thunderbird_read_all_user_content = false # # Allow thunderbird to manage generic user content (i.e. content that is not specific to an application). # thunderbird_manage_generic_user_content = false # # Allow thunderbird to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). # thunderbird_manage_all_user_content = false