path: root/policy/booleans.conf

#
# Disable kernel module loading.
# 
secure_mode_insmod = false

#
# Boolean to determine whether the system permits loading policy, and setting
# enforcing mode.  Set this to true and you have to reboot to set it back.
# 
secure_mode_policyload = false

#
# Boolean to determine whether the system permits setting Booelan values.
# 
secure_mode_setbool = false

#
# Enabling secure mode disallows programs, such as
# newrole, from transitioning to administrative
# user domains.
# 
secure_mode = false

#
# Control if AIDE can mmap files.
# AIDE can be compiled with the option 'with-mmap' in which case it will
# attempt to mmap files while running.
# 
aide_mmap_files = false

#
# Grant the firstboot domains read access to generic user content
# 
firstboot_read_generic_user_content = true

#
# Grant the firstboot domains read access to all user content
# 
firstboot_read_all_user_content = false

#
# Grant the firstboot domains manage rights on generic user content
# 
firstboot_manage_generic_user_content = false

#
# Grant the firstboot domains manage rights on all user content
# 
firstboot_manage_all_user_content = false

#
# Determine whether logrotate can manage
# audit log files
# 
logrotate_manage_audit_log = false

#
# Determine whether logwatch can connect
# to mail over the network.
# 
logwatch_can_network_connect_mail = false

#
# Determine whether mcelog supports
# client mode.
# 
mcelog_client = false

#
# Determine whether mcelog can execute scripts.
# 
mcelog_exec_scripts = true

#
# Determine whether mcelog can use all
# the user ttys.
# 
mcelog_foreground = false

#
# Determine whether mcelog supports
# server mode.
# 
mcelog_server = false

#
# Determine whether mcelog can use syslog.
# 
mcelog_syslog = false

#
# Control users use of ping and traceroute
# 
user_ping = false

#
# Determine whether portage can
# use nfs filesystems.
# 
portage_use_nfs = false

#
# Determine whether portage domains can read user content.
# This is for non-portage_t domains as portage_t can manage the entire file system.
# 
portage_read_user_content = false

#
# Determine whether portage can mount file systems (used to mount /boot for instance).
# 
portage_mount_fs = false

#
# Extra rules which are sometimes needed when FEATURES=test is enabled
# 
portage_enable_test = false

#
# Determine whether puppet can
# manage all non-security files.
# 
puppet_manage_all_files = false

#
# Determine whether rkhunter can connect
# to http ports. This is required by the
# --update option.
# 
rkhunter_connect_http = false

#
# Determine whether the user application exec
# domain attribute should be respected for
# shutdown access. If not enabled, only user
# domains themselves may use shutdown.
# 
shutdown_allow_user_exec_domains = false

#
# Determine whether the user application
# exec domain attribute should be respected
# for su access. If not enabled, only user
# domains themselves may use su.
# 
su_allow_user_exec_domains = false

#
# Determine whether all sudo domains
# can connect to TCP HTTP ports. This
# is needed if an additional authentication
# mechanism via an HTTP server is
# required for users to use sudo.
# 
sudo_all_tcp_connect_http_port = false

#
# Determine whether the user application exec
# domain attribute should be respected for sudo
# access. If not enabled, only user domains
# themselves may use sudo.
# 
sudo_allow_user_exec_domains = false

#
# Determine whether authorized users can control the daemon,
# which requires usbguard-daemon to be able modify its rules in
# /etc/usbguard.
# 
usbguard_user_modify_rule_files = false

#
# Determine whether attempts by
# vbetool to mmap low regions should
# be silently blocked.
# 
vbetool_mmap_zero_ignore = false

#
# Determine whether awstats can
# purge httpd log files.
# 
awstats_purge_apache_log_files = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_awstats_script_anon_write = false

#
# Determine whether cdrecord can read
# various content. nfs, samba, removable
# devices, user temp and untrusted
# content files
# 
cdrecord_read_content = false

#
# Allow chromium to access direct rendering interface
# 
# 
# 
# 
# Needed for good performance on complex sites
# 
chromium_dri = true

#
# Allow chromium to read system information
# 
# 
# 
# 
# Although not needed for regular browsing, this will allow chromium to update
# its own memory consumption based on system state, support additional
# debugging, detect specific devices, etc.
# 
chromium_read_system_info = false

#
# Allow chromium to bind to tcp ports
# 
# 
# 
# 
# Although not needed for regular browsing, some chrome extensions need to
# bind to tcp ports and accept connections.
# 
chromium_bind_tcp_unreserved_ports = false

#
# Allow chromium to read/write USB devices
# 
# 
# 
# 
# Although not needed for regular browsing, used for debugging over usb
# or using FIDO U2F tokens.
# 
chromium_rw_usb_dev = false

#
# Grant the chromium domains read access to generic user content
# 
chromium_read_generic_user_content = true

#
# Grant the chromium domains read access to all user content
# 
chromium_read_all_user_content = false

#
# Grant the chromium domains manage rights on generic user content
# 
chromium_manage_generic_user_content = false

#
# Grant the chromium domains manage rights on all user content
# 
chromium_manage_all_user_content = false

#
# Grant the cryfs domains read access to generic user content
# 
cryfs_read_generic_user_content = true

#
# Grant the cryfs domains read access to all user content
# 
cryfs_read_all_user_content = false

#
# Grant the cryfs domains manage rights on generic user content
# 
cryfs_manage_generic_user_content = false

#
# Grant the cryfs domains manage rights on all user content
# 
cryfs_manage_all_user_content = false

#
# Allow evolution to create and write
# user certificates in addition to
# being able to read them
# 
evolution_manage_user_certs = false

#
# Grant the evolution domains read access to generic user content
# 
evolution_read_generic_user_content = true

#
# Grant the evolution domains read access to all user content
# 
evolution_read_all_user_content = false

#
# Grant the evolution domains manage rights on generic user content
# 
evolution_manage_generic_user_content = false

#
# Grant the evolution domains manage rights on all user content
# 
evolution_manage_all_user_content = false

#
# Determine whether Gitosis can send mail.
# 
gitosis_can_sendmail = false

#
# Determine whether GPG agent can manage
# generic user home content files. This is
# required by the --write-env-file option.
# 
gpg_agent_env_file = false

#
# Determine whether GPG agent can use OpenPGP
# cards or Yubikeys over USB
# 
gpg_agent_use_card = false

#
# Grant the gpg domains read access to generic user content
# 
gpg_read_generic_user_content = true

#
# Grant the gpg domains read access to all user content
# 
gpg_read_all_user_content = false

#
# Grant the gpg domains manage rights on generic user content
# 
gpg_manage_generic_user_content = false

#
# Grant the gpg domains manage rights on all user content
# 
gpg_manage_all_user_content = false

#
# Determine whether irc clients can
# listen on and connect to any
# unreserved TCP ports.
# 
irc_use_any_tcp_ports = false

#
# Grant the irc domains read access to generic user content
# 
irc_read_generic_user_content = true

#
# Grant the irc domains read access to all user content
# 
irc_read_all_user_content = false

#
# Grant the irc domains manage rights on generic user content
# 
irc_manage_generic_user_content = false

#
# Grant the irc domains manage rights on all user content
# 
irc_manage_all_user_content = false

#
# Determine whether java can make
# its stack executable.
# 
allow_java_execstack = false

#
# Grant the java domains read access to generic user content
# 
java_read_generic_user_content = true

#
# Grant the java domains read access to all user content
# 
java_read_all_user_content = false

#
# Grant the java domains manage rights on generic user content
# 
java_manage_generic_user_content = false

#
# Grant the java domains manage rights on all user content
# 
java_manage_all_user_content = false

#
# Determine whether libmtp can read
# and manage the user home directories
# and files.
# 
libmtp_enable_home_dirs = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_lightsquid_script_anon_write = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_man2html_script_anon_write = false

#
# Determine whether mozilla can
# make its stack executable.
# 
mozilla_execstack = false

#
# Grant the mozilla domains read access to generic user content
# 
mozilla_read_generic_user_content = true

#
# Grant the mozilla domains read access to all user content
# 
mozilla_read_all_user_content = false

#
# Grant the mozilla domains manage rights on generic user content
# 
mozilla_manage_generic_user_content = false

#
# Grant the mozilla domains manage rights on all user content
# 
mozilla_manage_all_user_content = false

#
# Determine whether mozilla firefox can bind TCP sockets to all
# unreserved ports (for instance used with various Proxy
# management extensions).
# 
mozilla_bind_all_unreserved_ports = false

#
# Determine whether mozilla firefox plugins can connect to
# unreserved ports (for instance when dealing with Google Talk)
# 
mozilla_plugin_connect_all_unreserved = false

#
# Determine whether mplayer can make
# its stack executable.
# 
allow_mplayer_execstack = false

#
# Grant the mplayer_mencoder domains read access to generic user content
# 
mplayer_mencoder_read_generic_user_content = true

#
# Grant the mplayer_mencoder domains read access to all user content
# 
mplayer_mencoder_read_all_user_content = false

#
# Grant the mplayer_mencoder domains manage rights on generic user content
# 
mplayer_mencoder_manage_generic_user_content = false

#
# Grant the mplayer_mencoder domains manage rights on all user content
# 
mplayer_mencoder_manage_all_user_content = false

#
# Grant the mplayer domains read access to generic user content
# 
mplayer_read_generic_user_content = true

#
# Grant the mplayer domains read access to all user content
# 
mplayer_read_all_user_content = false

#
# Grant the mplayer domains manage rights on generic user content
# 
mplayer_manage_generic_user_content = false

#
# Grant the mplayer domains manage rights on all user content
# 
mplayer_manage_all_user_content = false

#
# Determine whether openoffice can
# download software updates from the
# network (application and/or
# extensions).
# 
openoffice_allow_update = true

#
# Determine whether openoffice writer
# can send emails directly (print to
# email). This is different from the
# functionality of sending emails
# through external clients which is
# always enabled.
# 
openoffice_allow_email = false

#
# Grant the openoffice domains read access to generic user content
# 
openoffice_read_generic_user_content = true

#
# Grant the openoffice domains read access to all user content
# 
openoffice_read_all_user_content = false

#
# Grant the openoffice domains manage rights on generic user content
# 
openoffice_manage_generic_user_content = false

#
# Grant the openoffice domains manage rights on all user content
# 
openoffice_manage_all_user_content = false

#
# Allow pulseaudio to execute code in
# writable memory
# 
pulseaudio_execmem = false

#
# Determine whether pulseaudio
# can use the network.
# 
pulseaudio_can_network = false

#
# Determine whether qemu has full
# access to the network.
# 
qemu_full_network = false

#
# Grant the syncthing domains read access to generic user content
# 
syncthing_read_generic_user_content = true

#
# Grant the syncthing domains read access to all user content
# 
syncthing_read_all_user_content = false

#
# Grant the syncthing domains manage rights on generic user content
# 
syncthing_manage_generic_user_content = false

#
# Grant the syncthing domains manage rights on all user content
# 
syncthing_manage_all_user_content = false

#
# Determine whether telepathy connection
# managers can connect to generic tcp ports.
# 
telepathy_tcp_connect_generic_network_ports = false

#
# Determine whether telepathy connection
# managers can connect to any port.
# 
telepathy_connect_all_ports = false

#
# Grant the thunderbird domains read access to generic user content
# 
thunderbird_read_generic_user_content = true

#
# Grant the thunderbird domains read access to all user content
# 
thunderbird_read_all_user_content = false

#
# Grant the thunderbird domains manage rights on generic user content
# 
thunderbird_manage_generic_user_content = false

#
# Grant the thunderbird domains manage rights on all user content
# 
thunderbird_manage_all_user_content = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_webalizer_script_anon_write = false

#
# Determine whether attempts by
# wine to mmap low regions should
# be silently blocked.
# 
wine_mmap_zero_ignore = false

#
# Grant the wireshark domains read access to generic user content
# 
wireshark_read_generic_user_content = true

#
# Grant the wireshark domains read access to all user content
# 
wireshark_read_all_user_content = false

#
# Grant the wireshark domains manage rights on generic user content
# 
wireshark_manage_generic_user_content = false

#
# Grant the wireshark domains manage rights on all user content
# 
wireshark_manage_all_user_content = false

#
# Grant the xscreensaver domains read access to generic user content
# 
xscreensaver_read_generic_user_content = true

#
# Determine whether the bitcoin daemon can bind
# to all unreserved ports or not.
# 
bitcoin_bind_all_unreserved_ports = false

#
# Determine whether dropbox can bind to
# local tcp and udp ports.
# Required for Dropbox' LAN Sync feature
# 
dropbox_bind_port = false

#
# Grant the dropbox domains read access to generic user content
# 
dropbox_read_generic_user_content = true

#
# Grant the dropbox domains read access to all user content
# 
dropbox_read_all_user_content = false

#
# Grant the dropbox domains manage rights on generic user content
# 
dropbox_manage_generic_user_content = false

#
# Grant the dropbox domains manage rights on all user content
# 
dropbox_manage_all_user_content = false

#
# Allow KDEConnect to read user home files
# 
kdeconnect_read_user_files = true

#
# Allow links to manage files in users home directories (download files)
# 
links_manage_user_files = false

#
# Grant the mutt domains read access to generic user content
# 
mutt_read_generic_user_content = true

#
# Grant the mutt domains read access to all user content
# 
mutt_read_all_user_content = false

#
# Grant the mutt domains manage rights on generic user content
# 
mutt_manage_generic_user_content = false

#
# Grant the mutt domains manage rights on all user content
# 
mutt_manage_all_user_content = false

#
# Allow nginx to serve HTTP content (act as an http server)
# 
nginx_enable_http_server = false

#
# Allow nginx to act as an imap proxy server)
# 
nginx_enable_imap_server = false

#
# Allow nginx to act as a pop3 server)
# 
nginx_enable_pop3_server = false

#
# Allow nginx to act as an smtp server)
# 
nginx_enable_smtp_server = false

#
# Allow nginx to connect to remote HTTP servers
# 
nginx_can_network_connect_http = false

#
# Allow nginx to connect to remote servers (regardless of protocol)
# 
nginx_can_network_connect = false

#
# Be able to manage user files (needed to support sending and downloading
# attachments). Without this boolean set, only files marked as pan_home_t
# can be used for sending and receiving.
# 
pan_manage_user_content = false

#
# Allow phpfpm to use LDAP services
# 
phpfpm_use_ldap = false

#
# Allow phpfpm to send syslog messages
# 
phpfpm_send_syslog_msg = false

#
# Allow phpfpm to execute shells. This
# is needed by some webapps.
# 
phpfpm_exec_shell = false

#
# Allow phpfpm to connect to http ports.
# 
phpfpm_connect_http = false

#
# Allow phpfpm to connect to pop ports.
# 
phpfpm_connect_pop = false

#
# Allow phpfpm to connect to redis ports.
# 
phpfpm_connect_redis = false

#
# Allow phpfpm to connect to sieve ports.
# 
phpfpm_connect_sieve = false

#
# Allow phpfpm to connect to smtp ports.
# 
phpfpm_connect_smtp = false

#
# Allow rtorrent to use dht.
# The correspondig port must be rtorrent_udp_port_t.
# 
rtorrent_use_dht = true

#
# Allow rtorrent to use rsync, for example in a hook.
# 
rtorrent_use_rsync = false

#
# Determine wether the salt master can read NFS files
# 
salt_master_read_nfs = false

#
# Determine wether the salt minion can manage NFS files
# 
salt_minion_manage_nfs = false

#
# Be able to manage user files (needed to support sending and receiving files).
# Without this boolean set, only files marked as skype_home_t can be used for
# sending and receiving.
# 
skype_manage_user_content = false

#
# Control the ability to mmap a low area of the address space,
# as configured by /proc/sys/kernel/mmap_min_addr.
# 
mmap_low_allowed = false

#
# Determine whether dbadm can manage
# generic user files.
# 
dbadm_manage_user_files = false

#
# Determine whether dbadm can read
# generic user files.
# 
dbadm_read_user_files = false

#
# Determine whether guest can
# configure network manager.
# 
guest_connect_network = false

#
# Determine whether webadm can
# manage generic user files.
# 
webadm_manage_user_files = false

#
# Determine whether webadm can
# read generic user files.
# 
webadm_read_user_files = false

#
# Determine whether xguest can
# mount removable media.
# 
xguest_mount_media = false

#
# Determine whether xguest can
# configure network manager.
# 
xguest_connect_network = false

#
# Determine whether xguest can
# use blue tooth devices.
# 
xguest_use_bluetooth = false

#
# Determine whether ABRT can modify
# public files used for public file
# transfer services.
# 
abrt_anon_write = false

#
# Determine whether abrt-handle-upload
# can modify public files used for public file
# transfer services in /var/spool/abrt-upload/.
# 
abrt_upload_watch_anon_write = true

#
# Determine whether ABRT can run in
# the abrt_handle_event_t domain to
# handle ABRT event scripts.
# 
abrt_handle_event = false

#
# Determine whether amavis can
# use JIT compiler.
# 
amavis_use_jit = false

#
# Determine whether httpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_anon_write = false

#
# Determine whether httpd can use mod_auth_pam.
# 
allow_httpd_mod_auth_pam = false

#
# Determine whether httpd can use built in scripting.
# 
httpd_builtin_scripting = false

#
# Determine whether httpd can check spam.
# 
httpd_can_check_spam = false

#
# Determine whether httpd scripts and modules
# can connect to the network using TCP.
# 
httpd_can_network_connect = false

#
# Determine whether httpd scripts and modules
# can connect to cobbler over the network.
# 
httpd_can_network_connect_cobbler = false

#
# Determine whether scripts and modules can
# connect to databases over the network.
# 
httpd_can_network_connect_db = false

#
# Determine whether httpd can connect to
# ldap over the network.
# 
httpd_can_network_connect_ldap = false

#
# Determine whether httpd can connect
# to memcache server over the network.
# 
httpd_can_network_connect_memcache = false

#
# Determine whether httpd can act as a relay.
# 
httpd_can_network_relay = false

#
# Determine whether httpd daemon can
# connect to zabbix over the network.
# 
httpd_can_network_connect_zabbix = false

#
# Determine whether httpd can send mail.
# 
httpd_can_sendmail = false

#
# Determine whether httpd can communicate
# with avahi service via dbus.
# 
httpd_dbus_avahi = false

#
# Determine whether httpd can use support.
# 
httpd_enable_cgi = false

#
# Determine whether httpd can act as a
# FTP server by listening on the ftp port.
# 
httpd_enable_ftp_server = false

#
# Determine whether httpd can traverse
# user home directories.
# 
httpd_enable_homedirs = false

#
# Determine whether httpd gpg can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
httpd_gpg_anon_write = false

#
# Determine whether httpd can execute
# its temporary content.
# 
httpd_tmp_exec = false

#
# Determine whether httpd scripts and
# modules can use execmem and execstack.
# 
httpd_execmem = false

#
# Determine whether httpd can connect
# to port 80 for graceful shutdown.
# 
httpd_graceful_shutdown = false

#
# Determine whether httpd can
# manage IPA content files.
# 
httpd_manage_ipa = false

#
# Determine whether httpd can use mod_auth_ntlm_winbind.
# 
httpd_mod_auth_ntlm_winbind = false

#
# Determine whether httpd can read
# generic user home content files.
# 
httpd_read_user_content = false

#
# Determine whether httpd can change
# its resource limits.
# 
httpd_setrlimit = false

#
# Determine whether httpd can run
# SSI executables in the same domain
# as system CGI scripts.
# 
httpd_ssi_exec = false

#
# Determine whether httpd can communicate
# with the terminal. Needed for entering the
# passphrase for certificates at the terminal.
# 
httpd_tty_comm = false

#
# Determine whether httpd can have full access
# to its content types.
# 
httpd_unified = false

#
# Determine whether httpd can use
# cifs file systems.
# 
httpd_use_cifs = false

#
# Determine whether httpd can
# use fuse file systems.
# 
httpd_use_fusefs = false

#
# Determine whether httpd can use gpg.
# 
httpd_use_gpg = false

#
# Determine whether httpd can use
# nfs file systems.
# 
httpd_use_nfs = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_sys_script_anon_write = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_user_script_anon_write = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_unconfined_script_anon_write = false

#
# Enable specific permissions for the Hiawatha web server
# 
hiawatha_httpd = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_apcupsd_cgi_script_anon_write = false

#
# Determine whether Bind can bind tcp socket to http ports.
# 
named_tcp_bind_http_port = false

#
# Determine whether Bind can write to master zone files.
# Generally this is used for dynamic DNS or zone transfers.
# 
named_write_master_zones = false

#
# Determine whether boinc can execmem/execstack.
# 
boinc_execmem = true

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_bugzilla_script_anon_write = false

#
# Determine whether additional rules
# should be enabled to support acme.sh
# 
certbot_acmesh = false

#
# Determine whether chronyd can access NIC hardware
# timestamping features
# 
chronyd_hwtimestamp = false

#
# Determine whether clamscan can
# read user content files.
# 
clamav_read_user_content_files_clamscan = false

#
# Determine whether clamscan can read
# all non-security files.
# 
clamav_read_all_non_security_files_clamscan = false

#
# Determine whether can clamd use JIT compiler.
# 
clamd_use_jit = false

#
# Determine whether Cobbler can modify
# public files used for public file
# transfer services.
# 
cobbler_anon_write = false

#
# Determine whether Cobbler can connect
# to the network using TCP.
# 
cobbler_can_network_connect = false

#
# Determine whether Cobbler can access
# cifs file systems.
# 
cobbler_use_cifs = false

#
# Determine whether Cobbler can access
# nfs file systems.
# 
cobbler_use_nfs = false

#
# Determine whether collectd can connect
# to the network using TCP.
# 
collectd_tcp_network_connect = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_collectd_script_anon_write = false

#
# Determine whether Condor can connect
# to the network using TCP.
# 
condor_tcp_network_connect = false

#
# Allow containers to manage cgroups.
# This is required for systemd to run inside
# containers.
# 
container_manage_cgroup = false

#
# Allow container engines to mount on all non-security files.
# 
container_mounton_non_security = false

#
# Allow containers to manage all read-writable public content.
# 
container_manage_public_content = false

#
# Allow containers to read all public content.
# 
container_read_public_content = false

#
# Allow super privileged containers to create NFS servers.
# 
container_spc_create_nfs_servers = false

#
# Allow super privileged containers to use tun-tap devices.
# 
container_spc_use_tun_tap_dev = false

#
# Allow containers to use direct rendering devices.
# 
container_use_dri = false

#
# Allow containers to use eCryptfs filesystems.
# 
container_use_ecryptfs = false

#
# Allow containers to use all capabilities in a
# non-namespaced context for various privileged operations
# directly on the host.
# 
container_use_host_all_caps = false

#
# Allow containers to use huge pages.
# 
container_use_hugetlbfs = false

#
# Allow containers to use the mknod syscall, e.g. for
# creating special device files.
# 
container_use_mknod = false

#
# Allow containers to use NFS filesystems.
# 
container_use_nfs = false

#
# Allow containers to use CIFS filesystems.
# 
container_use_samba = false

#
# Allow containers to use the sysadmin capability, e.g.
# for mounting filesystems.
# 
container_use_sysadmin = false

#
# Allow containers to use all capabilities in a
# namespaced context for various privileged operations
# within the container itself.
# 
container_use_userns_all_caps = false

#
# Allow containers to use the mknod syscall in a
# namespaced context, e.g. for creating special device
# files within the container itself.
# 
container_use_userns_mknod = false

#
# Allow containers to use the sysadmin capability in a
# namespaced context, e.g. for mounting filesystems
# within the container itself.
# 
container_use_userns_sysadmin = false

#
# Determine whether system cron jobs
# can relabel filesystem for
# restoring file contexts.
# 
cron_can_relabel = false

#
# Determine whether crond can execute jobs
# in the user domain as opposed to the
# the generic cronjob domain.
# 
cron_userdomain_transition = false

#
# Determine whether extra rules
# should be enabled to support fcron.
# 
fcron_crond = false

#
# Grant the cron domains read access to generic user content
# 
cron_read_generic_user_content = true

#
# Grant the cron domains read access to all user content
# 
cron_read_all_user_content = false

#
# Grant the cron domains manage rights on generic user content
# 
cron_manage_generic_user_content = false

#
# Grant the cron domains manage rights on all user content
# 
cron_manage_all_user_content = false

#
# Determine whether cvs can read shadow
# password files.
# 
allow_cvs_read_shadow = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_cvs_script_anon_write = false

#
# Determine whether the dbus server
# can use the network (insecure
# except than in the case of the
# loopback interface).
# 
dbus_can_network = false

#
# Allow dbus-daemon system bus to access /dev/net/tun
# which is needed to pass tun/tap device file descriptors
# over D-Bus.  This is needed by openvpn3-linux.
# 
dbus_pass_tuntap_fd = false

#
# Allow dbus-daemon system bus to to run systemd transient
# units. This is used by dbus-broker for dbus-activated
# services when the unit file for the service does not exist.
# 
dbus_broker_run_transient_units = false

#
# Enable additional rules to support using dbus-broker
# as the dbus-daemon system bus.
# 
dbus_broker_system_bus = false

#
# Determine whether DHCP daemon
# can use LDAP backends.
# 
dhcpd_use_ldap = false

#
# Determine whether dovecot can connect to
# databases.
# 
dovecot_can_connect_db = false

#
# Determine whether entropyd can use
# audio devices as the source for
# the entropy feeds.
# 
entropyd_use_audio = false

#
# Determine whether exim can connect to
# databases.
# 
exim_can_connect_db = false

#
# Determine whether exim can read generic
# user content files.
# 
exim_read_user_files = false

#
# Determine whether exim can create,
# read, write, and delete generic user
# content files.
# 
exim_manage_user_files = false

#
# Determine whether ftpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_ftpd_anon_write = false

#
# Determine whether ftpd can login to
# local users and can read and write
# all files on the system, governed by DAC.
# 
allow_ftpd_full_access = false

#
# Determine whether ftpd can use CIFS
# used for public file transfer services.
# 
allow_ftpd_use_cifs = false

#
# Determine whether ftpd can use NFS
# used for public file transfer services.
# 
allow_ftpd_use_nfs = false

#
# Determine whether ftpd can connect to
# databases over the TCP network.
# 
ftpd_connect_db = false

#
# Determine whether ftpd can bind to all
# unreserved ports for passive mode.
# 
ftpd_use_passive_mode = false

#
# Determine whether ftpd can connect to
# all unreserved ports.
# 
ftpd_connect_all_unreserved = false

#
# Determine whether ftpd can read and write
# files in user home directories.
# 
ftp_home_dir = false

#
# Determine whether sftpd can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
sftpd_anon_write = false

#
# Determine whether sftpd-can read and write
# files in user home directories.
# 
sftpd_enable_homedirs = false

#
# Determine whether sftpd-can login to
# local users and read and write all
# files on the system, governed by DAC.
# 
sftpd_full_access = false

#
# Determine whether sftpd can read and write
# files in user ssh home directories.
# 
sftpd_write_ssh_home = false

#
# Determine whether Git CGI
# can search home directories.
# 
git_cgi_enable_homedirs = false

#
# Determine whether Git CGI
# can access cifs file systems.
# 
git_cgi_use_cifs = false

#
# Determine whether Git CGI
# can access nfs file systems.
# 
git_cgi_use_nfs = false

#
# Determine whether Git session daemon
# can bind TCP sockets to all
# unreserved ports.
# 
git_session_bind_all_unreserved_ports = false

#
# Determine whether calling user domains
# can execute Git daemon in the
# git_session_t domain.
# 
git_session_users = false

#
# Determine whether Git session daemons
# can send syslog messages.
# 
git_session_send_syslog_msg = false

#
# Determine whether Git system daemon
# can search home directories.
# 
git_system_enable_homedirs = false

#
# Determine whether Git system daemon
# can access cifs file systems.
# 
git_system_use_cifs = false

#
# Determine whether Git system daemon
# can access nfs file systems.
# 
git_system_use_nfs = false

#
# Determine whether Git client domains
# can manage all user home content,
# including application-specific data.
# 
git_client_manage_all_user_home_content = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_git_script_anon_write = false

#
# Allow the gluster daemon to automatically
# add and remove file contexts from the local
# SELinux policy when adding and removing
# bricks.
# 
glusterfs_modify_policy = false

#
# Grant the i18n_input domains read access to generic user content
# 
i18n_input_read_generic_user_content = true

#
# Determine whether icecast can listen
# on and connect to any TCP port.
# 
icecast_use_any_tcp_ports = false

#
# Determine whether kerberos is supported.
# 
allow_kerberos = false

#
# Determine whether to support lpd server.
# 
use_lpd_server = false

#
# Determine whether Matrixd is allowed to federate
# (bind all UDP ports and connect to all TCP ports).
# 
matrix_allow_federation = true

#
# Determine whether Matrixd can connect to the Postgres database.
# 
matrix_postgresql_connect = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_mediawiki_script_anon_write = false

#
# Determine whether minidlna can read generic user content.
# 
minidlna_read_generic_user_content = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_mojomojo_script_anon_write = false

#
# Allow monit to start/stop services
# 
monit_startstop_services = false

#
# Determine whether mpd can traverse
# user home directories.
# 
mpd_enable_homedirs = false

#
# Determine whether mpd can use
# cifs file systems.
# 
mpd_use_cifs = false

#
# Determine whether mpd can use
# nfs file systems.
# 
mpd_use_nfs = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_munin_script_anon_write = false

#
# Determine whether mysqld can
# connect to all TCP ports.
# 
mysql_connect_any = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_nagios_script_anon_write = false

#
# Determine whether confined applications
# can use nscd shared memory.
# 
nscd_use_shm = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_nutups_cgi_script_anon_write = false

#
# Determine whether obfs4proxy can bind
# tcp sockets to all unreserved ports.
# 
obfs4proxy_bind_all_unreserved_ports = false

#
# Determine whether obfs4proxy can bind
# tcp sockets to all http ports.
# 
obfs4proxy_bind_http_ports = false

#
# Determine whether openvpn can
# read generic user home content files.
# 
openvpn_enable_homedirs = false

#
# Determine whether openvpn can
# connect to the TCP network.
# 
openvpn_can_network_connect = false

#
# Allow pacemaker to start/stop services
# 
pacemaker_startstop_all_services = false

#
# Determine whether postfix local
# can manage mail spool content.
# 
postfix_local_write_mail_spool = true

#
# Grant the postfix domains read access to generic user content
# 
postfix_read_generic_user_content = true

#
# Grant the postfix domains read access to all user content
# 
postfix_read_all_user_content = false

#
# Grant the postfix domains manage rights on generic user content
# 
postfix_manage_generic_user_content = false

#
# Grant the postfix domains manage rights on all user content
# 
postfix_manage_all_user_content = false

#
# Allow unprived users to execute DDL statement
# 
sepgsql_enable_users_ddl = false

#
# Allow transmit client label to foreign database
# 
sepgsql_transmit_client_label = false

#
# Allow database admins to execute DML statement
# 
sepgsql_unconfined_dbadm = false

#
# Determine whether pppd can
# load kernel modules.
# 
pppd_can_insmod = false

#
# Determine whether common users can
# run pppd with a domain transition.
# 
pppd_for_user = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_prewikka_script_anon_write = false

#
# Determine whether privoxy can
# connect to all tcp ports.
# 
privoxy_connect_any = false

#
# Determine whether gssd can read
# generic user temporary content.
# 
allow_gssd_read_tmp = false

#
# Determine whether gssd can write
# generic user temporary content.
# 
allow_gssd_write_tmp = false

#
# Determine whether nfs can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_nfsd_anon_write = false

#
# Determine whether rsync can use
# cifs file systems.
# 
rsync_use_cifs = false

#
# Determine whether rsync can
# use fuse file systems.
# 
rsync_use_fusefs = false

#
# Determine whether rsync can use
# nfs file systems.
# 
rsync_use_nfs = false

#
# Determine whether rsync can
# run as a client
# 
rsync_client = false

#
# Determine whether rsync can
# export all content read only.
# 
rsync_export_all_ro = false

#
# Determine whether rsync can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_rsync_anon_write = false

#
# Determine whether smbd_t can
# read shadow files.
# 
samba_read_shadow = false

#
# Determine whether samba can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_smbd_anon_write = false

#
# Determine whether samba can
# create home directories via pam.
# 
samba_create_home_dirs = false

#
# Determine whether samba can act as the
# domain controller, add users, groups
# and change passwords.
# 
samba_domain_controller = false

#
# Determine whether samba can
# act as a portmapper.
# 
samba_portmapper = false

#
# Determine whether samba can share
# users home directories.
# 
samba_enable_home_dirs = false

#
# Determine whether samba can share
# any content read only.
# 
samba_export_all_ro = false

#
# Determine whether samba can share any
# content readable and writable.
# 
samba_export_all_rw = false

#
# Determine whether samba can
# run unconfined scripts.
# 
samba_run_unconfined = false

#
# Determine whether samba can
# use nfs file systems.
# 
samba_share_nfs = false

#
# Determine whether samba can
# use fuse file systems.
# 
samba_share_fusefs = false

#
# Determine whether sanlock can use
# nfs file systems.
# 
sanlock_use_nfs = false

#
# Determine whether sanlock can use
# cifs file systems.
# 
sanlock_use_samba = false

#
# Determine whether sasl can
# read shadow files.
# 
allow_saslauthd_read_shadow = false

#
# Determine whether smartmon can support
# devices on 3ware controllers.
# 
smartmon_3ware = false

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_smokeping_cgi_script_anon_write = false

#
# Determine whether spamassassin
# daemon or clients can use the
# network.
# 
spamassassin_can_network = false

#
# Determine whether spamd can manage
# generic user home content.
# 
spamd_enable_home_dirs = false

#
# Determine whether spamassassin
# can update the rules using the
# network.
# 
spamassassin_network_update = true

#
# Determine whether extra rules should
# be enabled to support rspamd.
# 
rspamd_spamd = false

#
# Determine whether execmem should be allowed
# Needed if LUA JIT is enabled for rspamd
# 
spamd_execmem = false

#
# Determine whether squid can
# connect to all TCP ports.
# 
squid_connect_any = false

#
# Determine whether squid can run
# as a transparent proxy.
# 
squid_use_tproxy = false

#
# Determine whether squid can use the
# pinger daemon (needs raw net access)
# 
squid_use_pinger = true

#
# Determine whether the script domain can
# modify public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
allow_httpd_squid_script_anon_write = false

#
# allow host key based authentication
# 
allow_ssh_keysign = false

#
# Allow ssh logins as sysadm_r:sysadm_t
# 
ssh_sysadm_login = false

#
# Allow ssh to use gpg-agent
# 
ssh_use_gpg_agent = false

#
# Determine whether tftp can modify
# public files used for public file
# transfer services. Directories/Files must
# be labeled public_content_rw_t.
# 
tftp_anon_write = false

#
# Determine whether tftp can manage
# generic user home content.
# 
tftp_enable_homedir = false

#
# Determine whether tor can bind
# tcp sockets to all unreserved ports.
# 
tor_bind_all_unreserved_ports = false

#
# Determine whether varnishd can
# use the full TCP network.
# 
varnishd_connect_any = false

#
# Determine whether confined virtual guests
# can use serial/parallel communication ports.
# 
virt_use_comm = false

#
# Determine whether confined virtual guests
# can use executable memory and can make
# their stack executable.
# 
virt_use_execmem = false

#
# Determine whether confined virtual guests
# can use fuse file systems.
# 
virt_use_fusefs = false

#
# Determine whether confined virtual guests
# can use nfs file systems.
# 
virt_use_nfs = false

#
# Determine whether confined virtual guests
# can use cifs file systems.
# 
virt_use_samba = false

#
# Determine whether confined virtual guests
# can manage device configuration.
# 
virt_use_sysfs = false

#
# Determine whether confined virtual guests
# can use usb devices.
# 
virt_use_usb = false

#
# Determine whether confined virtual guests
# can interact with xserver.
# 
virt_use_xserver = false

#
# Determine whether confined virtual guests
# can use vfio for pci device pass through (vt-d).
# 
virt_use_vfio = false

#
# Determine whether confined virtual guests
# can use input devices via evdev pass through.
# 
virt_use_evdev = false

#
# Allows the X server to use TCP/IP
# networking functionality (insecure).
# 
xserver_can_network = false

#
# Allows the X display manager to use
# TCP/IP networking functionality (insecure).
# 
xserver_xdm_can_network = false

#
# Allow xdm logins as sysadm
# 
xdm_sysadm_login = false

#
# Allows clients to write to the X server shared
# memory segments.
# 
allow_write_xshm = false

#
# Allows clients to write to the X server tmpfs
# files.
# 
xserver_client_writes_xserver_tmpfs = false

#
# Use gnome-shell in gdm mode as the
# X Display Manager (XDM)
# 
xserver_gnome_xdm = false

#
# Support X userspace object manager
# 
xserver_object_manager = false

#
# Allow DRI access
# 
xserver_allow_dri = false

#
# Determine whether zabbix can
# connect to all TCP ports
# 
zabbix_can_network = false

#
# Determine whether zebra daemon can
# manage its configuration files.
# 
allow_zebra_write_config = false

#
# Allow PAM usage.  If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
# 
authlogin_pam = true

#
# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
# 
authlogin_nsswitch_use_ldap = false

#
# Enable support for upstart as the init program.
# 
init_upstart = false

#
# Enable systemd to create mountpoints.
# 
init_create_mountpoints = false

#
# Allow all daemons the ability to read/write terminals
# 
init_daemons_use_tty = false

#
# Enable systemd to mount on all non-security files.
# 
init_mounton_non_security = false

#
# Allow racoon to read shadow
# 
racoon_read_shadow = false

#
# Allows syslogd internet domain sockets
# functionality (dangerous).
# 
logging_syslog_can_network = false

#
# Allow the mount command to mount any directory or file.
# 
allow_mount_anyfile = false

#
# Determine whether DHCP client
# can manage samba
# 
dhcpc_manage_samba = false

#
# Enable support for systemd-tmpfiles to manage all non-security files.
# 
systemd_tmpfiles_manage_all = false

#
# Allow systemd-networkd to run its DHCPd server component
# 
systemd_networkd_dhcp_server = false

#
# Allow systemd-nspawn to create a labelled namespace with the same types
# as parent environment
# 
systemd_nspawn_labeled_namespace = false

#
# Allow systemd-logind to interact with the bootloader (read which one is
# installed on fixed disks, enumerate entries for dbus property
# BootLoaderEntries, etc.)
# 
systemd_logind_get_bootloader = false

#
# Allow systemd-socket-proxyd to bind any port instead of one labelled
# with systemd_socket_proxyd_port_t.
# 
systemd_socket_proxyd_bind_any = false

#
# Allow systemd-socket-proxyd to connect to any port instead of
# labelled ones.
# 
systemd_socket_proxyd_connect_any = false

#
# Determine whether tmpfiles can manage
# all non-security sensitive resources.
# Without this, it is only allowed rights towards
# /run, /tmp, /dev and /var/lock.
# 
tmpfiles_manage_all_non_security = true

#
# Allow users to connect to mysql
# 
allow_user_mysql_connect = false

#
# Allow users to connect to PostgreSQL
# 
allow_user_postgresql_connect = false

#
# Allow all users to send syslog messages
# 
user_all_users_send_syslog = true

#
# Allow regular users direct mouse access
# 
user_direct_mouse = false

#
# Allow users to read system messages.
# 
user_dmesg = false

#
# Allow user to r/w files on filesystems
# that do not have extended attributes (FAT, CDROM, FLOPPY)
# 
user_rw_noexattrfile = false

#
# Allow user to execute files on filesystems
# that do not have extended attributes (FAT, CDROM, FLOPPY)
# 
user_exec_noexattrfile = false

#
# Allow user to write files on removable
# devices (e.g. external USB memory
# devices or floppies)
# 
user_write_removable = false

#
# Allow w to display everyone
# 
user_ttyfile_stat = false

#
# Determine whether xend can
# run blktapctrl and tapdisk.
# 
xend_run_blktap = false

#
# Determine whether xen can
# use fusefs file systems.
# 
xen_use_fusefs = false

#
# Determine whether xen can
# use nfs file systems.
# 
xen_use_nfs = false

#
# Determine whether xen can
# use samba file systems.
# 
xen_use_samba = false

#
# Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
# 
allow_execheap = false

#
# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
# 
allow_execmem = false

#
# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
# 
allow_execmod = false

#
# Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
# 
allow_execstack = false

#
# Allow raw memory device (/dev/mem, /dev/kmem, /dev/mergemem,
# dev/oldmem, /dev/port) access for confined executables.  This is
# extremely dangerous as it can bypass the SELinux protections, and
# should only be used by trusted domains.
# 
allow_raw_memory_access = false

#
# Enable polyinstantiated directory support.
# 
allow_polyinstantiation = false

#
# Allow system to run with NIS
# 
allow_ypbind = false

#
# Allow logging in and using the system from /dev/console.
# 
console_login = true

#
# Enable reading of urandom for all domains.
# 
# 
# 
# 
# This should be enabled when all programs
# are compiled with ProPolice/SSP
# stack smashing protection.  All domains will
# be allowed to read from /dev/urandom.
# 
global_ssp = false

#
# Allow email client to various content.
# nfs, samba, removable devices, and user temp
# files
# 
mail_read_content = false

#
# Allow any files/directories to be exported read/write via NFS.
# 
nfs_export_all_rw = false

#
# Allow any files/directories to be exported read/only via NFS.
# 
nfs_export_all_ro = false

#
# Support NFS home directories
# 
use_nfs_home_dirs = false

#
# Support SAMBA home directories
# 
use_samba_home_dirs = false

#
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users)  disabling this forces FTP passive mode
# and may change other protocols.
# 
user_tcp_server = false

#
# Allow users to run UDP servers (bind to ports and accept connection from
# the same domain and outside users)
# 
user_udp_server = false

#
# Allow mozilla to read generic user content (i.e. content that is not specific to an application).
# 
mozilla_read_generic_user_content = true

#
# Allow mozilla to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
mozilla_read_all_user_content = false

#
# Allow mozilla to manage generic user content (i.e. content that is not specific to an application).
# 
mozilla_manage_generic_user_content = false

#
# Allow mozilla to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
mozilla_manage_all_user_content = false

#
# Allow chromium to read generic user content (i.e. content that is not specific to an application).
# 
chromium_read_generic_user_content = true

#
# Allow chromium to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
chromium_read_all_user_content = false

#
# Allow chromium to manage generic user content (i.e. content that is not specific to an application).
# 
chromium_manage_generic_user_content = false

#
# Allow chromium to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
chromium_manage_all_user_content = false

#
# Allow mutt to read generic user content (i.e. content that is not specific to an application).
# 
mutt_read_generic_user_content = true

#
# Allow mutt to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
mutt_read_all_user_content = false

#
# Allow mutt to manage generic user content (i.e. content that is not specific to an application).
# 
mutt_manage_generic_user_content = false

#
# Allow mutt to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
mutt_manage_all_user_content = false

#
# Allow thunderbird to read generic user content (i.e. content that is not specific to an application).
# 
thunderbird_read_generic_user_content = true

#
# Allow thunderbird to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
thunderbird_read_all_user_content = false

#
# Allow thunderbird to manage generic user content (i.e. content that is not specific to an application).
# 
thunderbird_manage_generic_user_content = false

#
# Allow thunderbird to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory).
# 
thunderbird_manage_all_user_content = false