Master tunable index:

Global
allow_console_login (Default: false)

Allow direct login to the console device. Required for System 390

Module: cvs

Layer: services

allow_cvs_read_shadow (Default: false)

Allow cvs daemon to read shadow

Module: init

Layer: system

allow_daemons_dump_core (Default: false)

Allow all daemons to write corefiles to /

Module: init

Layer: system

allow_daemons_use_tty (Default: false)

Allow all daemons the ability to read/write terminals

Module: domain

Layer: kernel

allow_domain_fd_use (Default: true)

Allow all domains to use other domains file descriptors

Global
allow_execheap (Default: false)

Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Global
allow_execmem (Default: false)

Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

Global
allow_execmod (Default: false)

Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")

Global
allow_execstack (Default: false)

Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")

Module: ftp

Layer: services

allow_ftpd_anon_write (Default: false)

Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.

Module: ftp

Layer: services

allow_ftpd_full_access (Default: false)

Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.

Module: ftp

Layer: services

allow_ftpd_use_cifs (Default: false)

Allow ftp servers to use cifs used for public file transfer services.

Module: ftp

Layer: services

allow_ftpd_use_nfs (Default: false)

Allow ftp servers to use nfs used for public file transfer services.

Module: rpc

Layer: services

allow_gssd_read_tmp (Default: true)

Allow gssd to read temp directory. For access to kerberos tgt.

Module: apache

Layer: services

allow_httpd_anon_write (Default: false)

Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: services

allow_httpd_dbus_avahi (Default: false)

Allow Apache to communicate with avahi service via dbus

Module: apache

Layer: services

allow_httpd_mod_auth_ntlm_winbind (Default: false)

Allow Apache to use mod_auth_pam

Module: apache

Layer: services

allow_httpd_mod_auth_pam (Default: false)

Allow Apache to use mod_auth_pam

Module: apache

Layer: services

allow_httpd_sys_script_anon_write (Default: false)

Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.

Module: kerberos

Layer: services

allow_kerberos (Default: false)

Allow confined applications to run with kerberos.

Module: mount

Layer: system

allow_mount_anyfile (Default: false)

Allow the mount command to mount any directory or file.

Module: mplayer

Layer: apps

allow_mplayer_execstack (Default: false)

Allow mplayer executable stack

Module: rpc

Layer: services

allow_nfsd_anon_write (Default: false)

Allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Module: nsplugin

Layer: apps

allow_nsplugin_execmem (Default: false)

Allow nsplugin code to execmem/execstack

Global
allow_polyinstantiation (Default: false)

Allow login programs to use polyinstantiated directories.

Module: postfix

Layer: services

allow_postfix_local_write_mail_spool (Default: false)

Allow postfix_local domain full write access to mail_spool directories

Module: sysadm

Layer: roles

allow_ptrace (Default: false)

Allow sysadm to debug or ptrace all processes.

Module: xserver

Layer: services

allow_read_x_device (Default: true)

Allows X clients to read the x devices (keyboard/mouse)

Module: rsync

Layer: services

allow_rsync_anon_write (Default: false)

Allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Module: sasl

Layer: services

allow_saslauthd_read_shadow (Default: false)

Allow sasl to read shadow

Module: samba

Layer: services

allow_smbd_anon_write (Default: false)

Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Module: ssh

Layer: services

allow_ssh_keysign (Default: false)

allow host key based authentication

Module: unconfined

Layer: system

allow_unconfined_mmap_low (Default: false)

Allow unconfined domain to map low memory in the kernel

Module: unconfined

Layer: system

allow_unconfined_nsplugin_transition (Default: false)

Transition to confined nsplugin domains from unconfined user

Module: unconfined

Layer: system

allow_unconfined_qemu_transition (Default: false)

Transition to confined qemu domains from unconfined user

Module: userdomain

Layer: system

allow_user_postgresql_connect (Default: false)

Allow users to connect to PostgreSQL

Module: xserver

Layer: services

allow_write_xshm (Default: false)

Allows clients to write to the X server shared memory segments.

Module: xserver

Layer: services

allow_xserver_execmem (Default: false)

Allows XServer to execute writable memory

Global
allow_ypbind (Default: false)

Allow system to run with NIS

Module: zebra

Layer: services

allow_zebra_write_config (Default: false)

Allow zebra daemon to write it configuration files

Module: cdrecord

Layer: apps

cdrecord_read_content (Default: false)

Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files

Module: exim

Layer: services

exim_can_connect_db (Default: false)

Allow exim to connect to databases (postgres, mysql)

Module: exim

Layer: services

exim_manage_user_files (Default: false)

Allow exim to create, read, write, and delete unprivileged user files.

Module: exim

Layer: services

exim_read_user_files (Default: false)

Allow exim to read unprivileged user files.

Module: cron

Layer: services

fcron_crond (Default: false)

Enable extra rules in the cron domain to support fcron.

Module: ftp

Layer: services

ftp_home_dir (Default: false)

Allow ftp to read and write files in the user home directories

Global
global_ssp (Default: false)

Enable reading of urandom for all domains.

This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.

Module: gpg

Layer: apps

gpg_agent_env_file (Default: false)

Allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files.

Module: apache

Layer: services

httpd_builtin_scripting (Default: false)

Allow httpd to use built in scripting (usually php)

Module: apache

Layer: services

httpd_can_network_connect (Default: false)

Allow HTTPD scripts and modules to connect to the network

Module: apache

Layer: services

httpd_can_network_connect_db (Default: false)

Allow HTTPD scripts and modules to connect to databases over the network.

Module: apache

Layer: services

httpd_can_network_relay (Default: false)

Allow httpd to act as a relay

Module: apache

Layer: services

httpd_can_sendmail (Default: false)

Allow http daemon to send mail

Module: apache

Layer: services

httpd_enable_cgi (Default: false)

Allow httpd cgi support

Module: apache

Layer: services

httpd_enable_ftp_server (Default: false)

Allow httpd to act as a FTP server by listening on the ftp port.

Module: apache

Layer: services

httpd_enable_homedirs (Default: false)

Allow httpd to read home directories

Module: apache

Layer: services

httpd_execmem (Default: false)

Allow httpd scripts and modules execmem/execstack

Module: apache

Layer: services

httpd_ssi_exec (Default: false)

Allow HTTPD to run SSI executables in the same domain as system CGI scripts.

Module: apache

Layer: services

httpd_tty_comm (Default: false)

Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.

Module: apache

Layer: services

httpd_unified (Default: false)

Unify HTTPD handling of all content files.

Module: apache

Layer: services

httpd_use_cifs (Default: false)

Allow httpd to access cifs file systems

Module: apache

Layer: services

httpd_use_nfs (Default: false)

Allow httpd to access nfs file systems

Module: init

Layer: system

init_upstart (Default: false)

Enable support for upstart as the init program.

Module: bind

Layer: services

named_write_master_zones (Default: false)

Allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers.

Global
nfs_export_all_ro (Default: false)

Allow any files/directories to be exported read/only via NFS.

Global
nfs_export_all_rw (Default: false)

Allow any files/directories to be exported read/write via NFS.

Module: openvpn

Layer: services

openvpn_enable_homedirs (Default: false)

Allow openvpn service access to users home directories

Module: ppp

Layer: services

pppd_can_insmod (Default: false)

Allow pppd to load kernel modules for certain modems

Module: ppp

Layer: services

pppd_for_user (Default: false)

Allow pppd to be run for a regular user

Module: qemu

Layer: apps

qemu_full_network (Default: false)

Allow qemu to connect fully to the network

Module: qemu

Layer: apps

qemu_use_cifs (Default: true)

Allow qemu to use cifs/Samba file systems

Module: qemu

Layer: apps

qemu_use_nfs (Default: true)

Allow qemu to use nfs file systems

Global
read_default_t (Default: false)

Allow reading of default_t files.

Global
read_untrusted_content (Default: false)

Allow applications to read untrusted content If this is disallowed, Internet content has to be manually relabeled for read access to be granted

Module: rsync

Layer: services

rsync_export_all_ro (Default: false)

Allow rsync to export any files/directories read only.

Module: samba

Layer: services

samba_domain_controller (Default: false)

Allow samba to act as the domain controller, add users, groups and change passwords.

Module: samba

Layer: services

samba_enable_home_dirs (Default: false)

Allow samba to share users home directories.

Module: samba

Layer: services

samba_export_all_ro (Default: false)

Allow samba to share any file/directory read only.

Module: samba

Layer: services

samba_export_all_rw (Default: false)

Allow samba to share any file/directory read/write.

Module: samba

Layer: services

samba_run_unconfined (Default: false)

Allow samba to run unconfined scripts

Module: samba

Layer: services

samba_share_fusefs (Default: false)

Allow samba to export ntfs/fusefs volumes.

Module: samba

Layer: services

samba_share_nfs (Default: false)

Allow samba to export NFS volumes.

Module: postgresql

Layer: services

sepgsql_enable_users_ddl (Default: true)

Allow unprived users to execute DDL statement

Module: spamassassin

Layer: services

spamassassin_can_network (Default: false)

Allow user spamassassin clients to use the network.

Module: spamassassin

Layer: services

spamd_enable_home_dirs (Default: true)

Allow spamd to read/write user home directories.

Module: squid

Layer: services

squid_connect_any (Default: false)

Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports.

Module: ssh

Layer: services

ssh_sysadm_login (Default: false)

Allow ssh logins as sysadm_r:sysadm_t

Module: tftp

Layer: services

tftp_anon_write (Default: false)

Allow tftp to modify public files used for public file transfer services.

Module: lpd

Layer: services

use_lpd_server (Default: false)

Use lpd server instead of cups

Global
use_nfs_home_dirs (Default: false)

Support NFS home directories

Global
use_samba_home_dirs (Default: false)

Support SAMBA home directories

Module: userdomain

Layer: system

user_direct_mouse (Default: false)

Allow regular users direct mouse access

Module: netutils

Layer: admin

user_ping (Default: false)

Control users use of ping and traceroute

Module: userdomain

Layer: system

user_rw_noexattrfile (Default: false)

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

Global
user_tcp_server (Default: false)

Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.

Module: userdomain

Layer: system

user_ttyfile_stat (Default: false)

Allow w to display everyone

Module: virt

Layer: services

virt_use_nfs (Default: false)

Allow virt to manage nfs files

Module: virt

Layer: services

virt_use_samba (Default: false)

Allow virt to manage cifs files

Module: webadm

Layer: roles

webadm_manage_user_files (Default: false)

Allow webadm to manage files in users home directories

Module: webadm

Layer: roles

webadm_read_user_files (Default: false)

Allow webadm to read files in users home directories

Global
write_untrusted_content (Default: false)

Allow applications to write untrusted content If this is disallowed, no Internet content will be stored.

Module: xserver

Layer: services

xdm_sysadm_login (Default: false)

Allow xdm logins as sysadm

Module: xen

Layer: system

xen_use_nfs (Default: false)

Allow xen to manage nfs files

Module: xguest

Layer: roles

xguest_connect_network (Default: false)

Allow xguest to configure Network Manager

Module: xguest

Layer: roles

xguest_mount_media (Default: false)

Allow xguest users to mount removable media

Module: xguest

Layer: roles

xguest_use_bluetooth (Default: false)

Allow xguest to use blue tooth devices

Module: xserver

Layer: services

xserver_object_manager (Default: false)

Support X userspace object manager