path: root/policy/booleans.conf

#
# Disable kernel module loading.
# 
secure_mode_insmod = false

#
# Boolean to determine whether the system permits loading policy, setting
# enforcing mode, and changing boolean values.  Set this to true and you
# have to reboot to set it back.
# 
secure_mode_policyload = false

#
# Enabling secure mode disallows programs, such as
# newrole, from transitioning to administrative
# user domains.
# 
secure_mode = false

#
# Control users use of ping and traceroute
# 
user_ping = false

#
# Allow Apache to modify public files
# used for public file transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_anon_write = false

#
# Allow Apache to use mod_auth_pam
# 
allow_httpd_mod_auth_pam = false

#
# Allow httpd to use built in scripting (usually php)
# 
httpd_builtin_scripting = false

#
# Allow HTTPD scripts and modules to connect to the network using TCP.
# 
httpd_can_network_connect = false

#
# Allow HTTPD scripts and modules to connect to databases over the network.
# 
httpd_can_network_connect_db = false

#
# Allow httpd to act as a relay
# 
httpd_can_network_relay = false

#
# Allow http daemon to send mail
# 
httpd_can_sendmail = false

#
# Allow Apache to communicate with avahi service via dbus
# 
httpd_dbus_avahi = false

#
# Allow httpd cgi support
# 
httpd_enable_cgi = false

#
# Allow httpd to act as a FTP server by
# listening on the ftp port.
# 
httpd_enable_ftp_server = false

#
# Allow httpd to read home directories
# 
httpd_enable_homedirs = false

#
# Allow httpd daemon to change its resource limits
# 
httpd_setrlimit = false

#
# Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
# 
httpd_ssi_exec = false

#
# Unify HTTPD to communicate with the terminal.
# Needed for entering the passphrase for certificates at
# the terminal.
# 
httpd_tty_comm = false

#
# Unify HTTPD handling of all content files.
# 
httpd_unified = false

#
# Allow httpd to access cifs file systems
# 
httpd_use_cifs = false

#
# Allow httpd to run gpg
# 
httpd_use_gpg = false

#
# Allow httpd to access nfs file systems
# 
httpd_use_nfs = false

#
# Allow BIND to write the master zone files.
# Generally this is used for dynamic DNS or zone transfers.
# 
named_write_master_zones = false

#
# Allow cdrecord to read various content.
# nfs, samba, removable devices, user temp
# and untrusted content files
# 
cdrecord_read_content = false

#
# Allow clamd to use JIT compiler
# 
clamd_use_jit = false

#
# Allow Cobbler to modify public files
# used for public file transfer services.
# 
cobbler_anon_write = false

#
# Allow system cron jobs to relabel filesystem
# for restoring file contexts.
# 
cron_can_relabel = false

#
# Enable extra rules in the cron domain
# to support fcron.
# 
fcron_crond = false

#
# Allow cvs daemon to read shadow
# 
allow_cvs_read_shadow = false

#
# Allow dbadm to manage files in users home directories
# 
dbadm_manage_user_files = false

#
# Allow dbadm to read files in users home directories
# 
dbadm_read_user_files = false

#
# Allow DHCP daemon to use LDAP backends
# 
dhcpd_use_ldap = false

#
# Allow the use of the audio devices as the source for the entropy feeds
# 
entropyd_use_audio = false

#
# Allow exim to connect to databases (postgres, mysql)
# 
exim_can_connect_db = false

#
# Allow exim to read unprivileged user files.
# 
exim_read_user_files = false

#
# Allow exim to create, read, write, and delete
# unprivileged user files.
# 
exim_manage_user_files = false

#
# Allow ftp servers to upload files,  used for public file
# transfer services. Directories must be labeled
# public_content_rw_t.
# 
allow_ftpd_anon_write = false

#
# Allow ftp servers to login to local users and
# read/write all files on the system, governed by DAC.
# 
allow_ftpd_full_access = false

#
# Allow ftp servers to use cifs
# used for public file transfer services.
# 
allow_ftpd_use_cifs = false

#
# Allow ftp servers to use nfs
# used for public file transfer services.
# 
allow_ftpd_use_nfs = false

#
# Allow ftp to read and write files in the user home directories
# 
ftp_home_dir = false

#
# Allow anon internal-sftp to upload files, used for
# public file transfer services. Directories must be labeled
# public_content_rw_t.
# 
sftpd_anon_write = false

#
# Allow sftp-internal to read and write files
# in the user home directories
# 
sftpd_enable_homedirs = false

#
# Allow sftp-internal to login to local users and
# read/write all files on the system, governed by DAC.
# 
sftpd_full_access = false

#
# Determine whether Git CGI
# can search home directories.
# 
git_cgi_enable_homedirs = false

#
# Determine whether Git CGI
# can access cifs file systems.
# 
git_cgi_use_cifs = false

#
# Determine whether Git CGI
# can access nfs file systems.
# 
git_cgi_use_nfs = false

#
# Determine whether calling user domains
# can execute Git daemon in the
# git_session_t domain.
# 
git_session_users = false

#
# Determine whether Git session daemons
# can send syslog messages.
# 
git_session_send_syslog_msg = false

#
# Determine whether Git system daemon
# can search home directories.
# 
git_system_enable_homedirs = false

#
# Determine whether Git system daemon
# can access cifs file systems.
# 
git_system_use_cifs = false

#
# Determine whether Git system daemon
# can access nfs file systems.
# 
git_system_use_nfs = false

#
# Allow usage of the gpg-agent --write-env-file option.
# This also allows gpg-agent to manage user files.
# 
gpg_agent_env_file = false

#
# Allow java executable stack
# 
allow_java_execstack = false

#
# Allow confined applications to run with kerberos.
# 
allow_kerberos = false

#
# Use lpd server instead of cups
# 
use_lpd_server = false

#
# Allow confined web browsers to read home directory content
# 
mozilla_read_content = false

#
# Allow mplayer executable stack
# 
allow_mplayer_execstack = false

#
# Allow mysqld to connect to all ports
# 
mysql_connect_any = false

#
# Allow openvpn to read home directories
# 
openvpn_enable_homedirs = false

#
# Allow the portage domains to use NFS mounts (regular nfs_t)
# 
portage_use_nfs = false

#
# Allow pppd to load kernel modules for certain modems
# 
pppd_can_insmod = false

#
# Allow pppd to be run for a regular user
# 
pppd_for_user = false

#
# Allow privoxy to connect to all ports, not just
# HTTP, FTP, and Gopher ports.
# 
privoxy_connect_any = false

#
# Allow Puppet client to manage all file
# types.
# 
puppet_manage_all_files = false

#
# Allow qemu to connect fully to the network
# 
qemu_full_network = false

#
# Allow qemu to use cifs/Samba file systems
# 
qemu_use_cifs = true

#
# Allow qemu to use serial/parallel communication ports
# 
qemu_use_comm = false

#
# Allow qemu to use nfs file systems
# 
qemu_use_nfs = true

#
# Allow qemu to use usb devices
# 
qemu_use_usb = true

#
# Allow rgmanager domain to connect to the network using TCP.
# 
rgmanager_can_network_connect = false

#
# Allow fenced domain to connect to the network using TCP.
# 
fenced_can_network_connect = false

#
# Allow gssd to read temp directory.  For access to kerberos tgt.
# 
allow_gssd_read_tmp = true

#
# Allow nfs servers to modify public files
# used for public file transfer services.  Files/Directories must be
# labeled public_content_rw_t.
# 
allow_nfsd_anon_write = false

#
# Allow rsync to export any files/directories read only.
# 
rsync_export_all_ro = false

#
# Allow rsync to modify public files
# used for public file transfer services.  Files/Directories must be
# labeled public_content_rw_t.
# 
allow_rsync_anon_write = false

#
# Allow samba to modify public files used for public file
# transfer services.  Files/Directories must be labeled
# public_content_rw_t.
# 
allow_smbd_anon_write = false

#
# Allow samba to create new home directories (e.g. via PAM)
# 
samba_create_home_dirs = false

#
# Allow samba to act as the domain controller, add users,
# groups and change passwords.
# 
samba_domain_controller = false

#
# Allow samba to share users home directories.
# 
samba_enable_home_dirs = false

#
# Allow samba to share any file/directory read only.
# 
samba_export_all_ro = false

#
# Allow samba to share any file/directory read/write.
# 
samba_export_all_rw = false

#
# Allow samba to run unconfined scripts
# 
samba_run_unconfined = false

#
# Allow samba to export NFS volumes.
# 
samba_share_nfs = false

#
# Allow samba to export ntfs/fusefs volumes.
# 
samba_share_fusefs = false

#
# Allow confined virtual guests to manage nfs files
# 
sanlock_use_nfs = false

#
# Allow confined virtual guests to manage cifs files
# 
sanlock_use_samba = false

#
# Allow sasl to read shadow
# 
allow_saslauthd_read_shadow = false

#
# Enable additional permissions needed to support
# devices on 3ware controllers.
# 
smartmon_3ware = false

#
# Allow user spamassassin clients to use the network.
# 
spamassassin_can_network = false

#
# Allow spamd to read/write user home directories.
# 
spamd_enable_home_dirs = true

#
# Allow squid to connect to all ports, not just
# HTTP, FTP, and Gopher ports.
# 
squid_connect_any = false

#
# Allow squid to run as a transparent proxy (TPROXY)
# 
squid_use_tproxy = false

#
# Allow the Telepathy connection managers
# to connect to any generic TCP port.
# 
telepathy_tcp_connect_generic_network_ports = false

#
# Allow the Telepathy connection managers
# to connect to any network port.
# 
telepathy_connect_all_ports = false

#
# Allow tftp to modify public files
# used for public file transfer services.
# 
tftp_anon_write = false

#
# Allow tor daemon to bind
# tcp sockets to all unreserved ports.
# 
tor_bind_all_unreserved_ports = false

#
# Allow varnishd to connect to all ports,
# not just HTTP.
# 
varnishd_connect_any = false

#
# Ignore vbetool mmap_zero errors.
# 
vbetool_mmap_zero_ignore = false

#
# Allow virt to use serial/parallell communication ports
# 
virt_use_comm = false

#
# Allow virt to read fuse files
# 
virt_use_fusefs = false

#
# Allow virt to manage nfs files
# 
virt_use_nfs = false

#
# Allow virt to manage cifs files
# 
virt_use_samba = false

#
# Allow virt to manage device configuration, (pci)
# 
virt_use_sysfs = false

#
# Allow virt to use usb devices
# 
virt_use_usb = true

#
# Allow webadm to manage files in users home directories
# 
webadm_manage_user_files = false

#
# Allow webadm to read files in users home directories
# 
webadm_read_user_files = false

#
# Ignore wine mmap_zero errors.
# 
wine_mmap_zero_ignore = false

#
# Allow xend to run blktapctrl/tapdisk.
# Not required if using dedicated logical volumes for disk images.
# 
xend_run_blktap = true

#
# Allow xend to run qemu-dm.
# Not required if using paravirt and no vfb.
# 
xend_run_qemu = true

#
# Allow xen to manage nfs files
# 
xen_use_nfs = false

#
# Allow xguest users to mount removable media
# 
xguest_mount_media = true

#
# Allow xguest to configure Network Manager
# 
xguest_connect_network = true

#
# Allow xguest to use blue tooth devices
# 
xguest_use_bluetooth = true

#
# Allow zebra daemon to write it configuration files
# 
allow_zebra_write_config = false

#
# Control the ability to mmap a low area of the address space,
# as configured by /proc/sys/kernel/mmap_min_addr.
# 
mmap_low_allowed = false

#
# Allow sysadm to debug or ptrace all processes.
# 
allow_ptrace = false

#
# Allow unprived users to execute DDL statement
# 
sepgsql_enable_users_ddl = true

#
# Allow transmit client label to foreign database
# 
sepgsql_transmit_client_label = false

#
# Allow database admins to execute DML statement
# 
sepgsql_unconfined_dbadm = true

#
# allow host key based authentication
# 
allow_ssh_keysign = false

#
# Allow ssh logins as sysadm_r:sysadm_t
# 
ssh_sysadm_login = false

#
# Allows clients to write to the X server shared
# memory segments.
# 
allow_write_xshm = false

#
# Allow xdm logins as sysadm
# 
xdm_sysadm_login = false

#
# Support X userspace object manager
# 
xserver_object_manager = false

#
# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
# 
authlogin_nsswitch_use_ldap = false

#
# Enable support for upstart as the init program.
# 
init_upstart = false

#
# Allow racoon to read shadow
# 
racoon_read_shadow = false

#
# Allow the mount command to mount any directory or file.
# 
allow_mount_anyfile = false

#
# Allow users to connect to mysql
# 
allow_user_mysql_connect = false

#
# Allow users to connect to PostgreSQL
# 
allow_user_postgresql_connect = false

#
# Allow regular users direct mouse access
# 
user_direct_mouse = false

#
# Allow users to read system messages.
# 
user_dmesg = false

#
# Allow user to r/w files on filesystems
# that do not have extended attributes (FAT, CDROM, FLOPPY)
# 
user_rw_noexattrfile = false

#
# Allow w to display everyone
# 
user_ttyfile_stat = false

#
# Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
# 
allow_execheap = false

#
# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
# 
allow_execmem = false

#
# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
# 
allow_execmod = false

#
# Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
# 
allow_execstack = false

#
# Enable polyinstantiated directory support.
# 
allow_polyinstantiation = false

#
# Allow system to run with NIS
# 
allow_ypbind = false

#
# Allow logging in and using the system from /dev/console.
# 
console_login = true

#
# Enable reading of urandom for all domains.
# 
# 
# 
# 
# This should be enabled when all programs
# are compiled with ProPolice/SSP
# stack smashing protection.  All domains will
# be allowed to read from /dev/urandom.
# 
global_ssp = false

#
# Allow email client to various content.
# nfs, samba, removable devices, and user temp
# files
# 
mail_read_content = false

#
# Allow any files/directories to be exported read/write via NFS.
# 
nfs_export_all_rw = false

#
# Allow any files/directories to be exported read/only via NFS.
# 
nfs_export_all_ro = false

#
# Support NFS home directories
# 
use_nfs_home_dirs = false

#
# Support SAMBA home directories
# 
use_samba_home_dirs = false

#
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users)  disabling this forces FTP passive mode
# and may change other protocols.
# 
user_tcp_server = false