# # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative # user domains. # secure_mode = false # # Disable transitions to insmod. # secure_mode_insmod = false # # boolean to determine whether the system permits loading policy, setting # enforcing mode, and changing boolean values. Set this to true and you # have to reboot to set it back # secure_mode_policyload = false # # Allow cvs daemon to read shadow # allow_cvs_read_shadow = false # # Allow zebra daemon to write it configuration files # allow_zebra_write_config = false # # Allow making the heap executable. # allow_execheap = false # # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. # allow_execmem = false # # Allow making a modified private file # mapping executable (text relocation). # allow_execmod = false # # Allow making the stack executable via mprotect. # Also requires allow_execmem. # allow_execstack = false # # Allow ftp servers to modify public files # used for public file transfer services. # allow_ftpd_anon_write = false # # Allow ftp servers to use cifs # used for public file transfer services. # allow_ftpd_use_cifs = false # # Allow ftp servers to use nfs # used for public file transfer services. # allow_ftpd_use_nfs = false # # Allow gssd to read temp directory. # allow_gssd_read_tmp = true # # Allow Apache to modify public files # used for public file transfer services. # allow_httpd_anon_write = false # # Allow Apache to use mod_auth_pam # allow_httpd_mod_auth_pam = false # # Allow java executable stack # allow_java_execstack = false # # Allow system to run with kerberos # allow_kerberos = false # # Allow nfs servers to modify public files # used for public file transfer services. # allow_nfsd_anon_write = false # # Allow rsync to modify public files # used for public file transfer services. # allow_rsync_anon_write = false # # Allow sasl to read shadow # allow_saslauthd_read_shadow = false # # Allow samba to modify public files # used for public file transfer services. # allow_smbd_anon_write = false # # Allow system to run with NIS # allow_ypbind = false # # Enable extra rules in the cron domain # to support fcron. # fcron_crond = false # # Allow ftp to read and write files in the user home directories # ftp_home_dir = false # # Allow ftpd to run directly without inetd # ftpd_is_daemon = false # # Enable reading of urandom for all domains. # # # # # This should be enabled when all programs # are compiled with ProPolice/SSP # stack smashing protection. All domains will # be allowed to read from /dev/urandom. # global_ssp = false # # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = false # # Allow http daemon to tcp connect # httpd_can_network_connect = false # # Allow httpd to connect to mysql/posgresql # httpd_can_network_connect_db = false # # Allow httpd to act as a relay # httpd_can_network_relay = false # # Allow httpd cgi support # httpd_enable_cgi = false # # Allow httpd to act as a FTP server by # listening on the ftp port. # httpd_enable_ftp_server = false # # Allow httpd to read home directories # httpd_enable_homedirs = false # # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # # Allow http daemon to communicate with the TTY # httpd_tty_comm = false # # Run CGI in the main httpd domain # httpd_unified = false # # Allow BIND to write the master zone files. # Generally this is used for dynamic DNS. # named_write_master_zones = false # # Allow nfs to be exported read/write. # nfs_export_all_rw = false # # Allow nfs to be exported read only # nfs_export_all_ro = false # # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # # Allow reading of default_t files. # read_default_t = false # # Allow samba to export user home directories. # samba_enable_home_dirs = false # # Allow samba to export NFS volumes. # samba_share_nfs = false # # Allow squid to connect to all ports, not just # HTTP, FTP, and Gopher ports. # squid_connect_any = false # # Configure stunnel to be a standalone daemon or # inetd service. # stunnel_is_daemon = false # # Support NFS home directories # use_nfs_home_dirs = false # # Support SAMBA home directories # use_samba_home_dirs = false # # Control users use of ping and traceroute # user_ping = false # # Allow gpg executable stack # allow_gpg_execstack = false # # Allow mplayer executable stack # allow_mplayer_execstack = false # # Allow sysadm to ptrace all processes # allow_ptrace = false # # allow host key based authentication # allow_ssh_keysign = false # # Allow users to connect to mysql # allow_user_mysql_connect = false # # Allows clients to write to the X server shared # memory segments. # allow_write_xshm = false # # Allow cdrecord to read various content. # nfs, samba, removable devices, user temp # and untrusted content files # cdrecord_read_content = false # # Allow system cron jobs to relabel filesystem # for restoring file contexts. # cron_can_relabel = false # # force to games to run in user_t # mapping executable (text relocation). # disable_games_trans = false # # Disable transitions to evolution domains. # disable_evolution_trans = false # # Disable transitions to user mozilla domains # disable_mozilla_trans = false # # Disable transitions to user thunderbird domains # disable_thunderbird_trans = false # # Allow email client to various content. # nfs, samba, removable devices, user temp # and untrusted content files # mail_read_content = false # # Control mozilla content access # mozilla_read_content = false # # Allow pppd to be run for a regular user # pppd_for_user = false # # Allow applications to read untrusted content # If this is disallowed, Internet content has # to be manually relabeled for read access to be granted # read_untrusted_content = false # # Allow ssh to run from inetd instead of as a daemon. # run_ssh_inetd = false # # Allow user spamassassin clients to use the network. # spamassassin_can_network = false # # Allow ssh logins as sysadm_r:sysadm_t # ssh_sysadm_login = false # # Allow staff_r users to search the sysadm home # dir and read files (such as ~/.bashrc) # staff_read_sysadm_file = false # # Allow regular users direct mouse access # user_direct_mouse = false # # Allow users to read system messages. # user_dmesg = false # # Allow users to control network interfaces # (also needs USERCTL=true) # user_net_control = false # # Allow user to r/w files on filesystems # that do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols. # user_tcp_server = false # # Allow w to display everyone # user_ttyfile_stat = false # # Allow applications to write untrusted content # If this is disallowed, no Internet content # will be stored. # write_untrusted_content = false # # Allow xdm logins as sysadm # xdm_sysadm_login = false # # Allow all daemons the ability to use unallocated ttys # allow_daemons_use_tty = false # # Allow mount to mount any file # allow_mount_anyfile = false # # Allow spammd to read/write user home directories. # spamd_enable_home_dirs = true