Master tunable index:
Global
allow_console_login
(Default: false)
Allow direct login to the console device. Required for System 390
Module:
cvs
Layer:
services
allow_cvs_read_shadow
(Default: false)
Allow cvs daemon to read shadow
Module:
init
Layer:
system
allow_daemons_dump_core
(Default: false)
Allow all daemons to write corefiles to /
Module:
init
Layer:
system
allow_daemons_use_tty
(Default: false)
Allow all daemons the ability to read/write terminals
Module:
domain
Layer:
kernel
allow_domain_fd_use
(Default: true)
Allow all domains to use other domains file descriptors
Global
allow_execheap
(Default: false)
Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Global
allow_execmem
(Default: false)
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
Global
allow_execmod
(Default: false)
Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
Global
allow_execstack
(Default: false)
Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
Module:
ftp
Layer:
services
allow_ftpd_anon_write
(Default: false)
Allow ftp servers to upload files, used for public file
transfer services. Directories must be labeled
public_content_rw_t.
Module:
ftp
Layer:
services
allow_ftpd_full_access
(Default: false)
Allow ftp servers to login to local users and
read/write all files on the system, governed by DAC.
Module:
ftp
Layer:
services
allow_ftpd_use_cifs
(Default: false)
Allow ftp servers to use cifs
used for public file transfer services.
Module:
ftp
Layer:
services
allow_ftpd_use_nfs
(Default: false)
Allow ftp servers to use nfs
used for public file transfer services.
Module:
rpc
Layer:
services
allow_gssd_read_tmp
(Default: true)
Allow gssd to read temp directory. For access to kerberos tgt.
Module:
apache
Layer:
services
allow_httpd_anon_write
(Default: false)
Allow Apache to modify public files
used for public file transfer services. Directories/Files must
be labeled public_content_rw_t.
Module:
apache
Layer:
services
allow_httpd_dbus_avahi
(Default: false)
Allow Apache to communicate with avahi service via dbus
Module:
apache
Layer:
services
allow_httpd_mod_auth_ntlm_winbind
(Default: false)
Allow Apache to use mod_auth_pam
Module:
apache
Layer:
services
allow_httpd_mod_auth_pam
(Default: false)
Allow Apache to use mod_auth_pam
Module:
apache
Layer:
services
allow_httpd_sys_script_anon_write
(Default: false)
Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
Module:
kerberos
Layer:
services
allow_kerberos
(Default: false)
Allow confined applications to run with kerberos.
Module:
mount
Layer:
system
allow_mount_anyfile
(Default: false)
Allow the mount command to mount any directory or file.
Module:
mplayer
Layer:
apps
allow_mplayer_execstack
(Default: false)
Allow mplayer executable stack
Module:
rpc
Layer:
services
allow_nfsd_anon_write
(Default: false)
Allow nfs servers to modify public files
used for public file transfer services. Files/Directories must be
labeled public_content_rw_t.
Module:
nsplugin
Layer:
apps
allow_nsplugin_execmem
(Default: false)
Allow nsplugin code to execmem/execstack
Global
allow_polyinstantiation
(Default: false)
Allow login programs to use polyinstantiated directories.
Module:
postfix
Layer:
services
allow_postfix_local_write_mail_spool
(Default: false)
Allow postfix_local domain full write access to mail_spool directories
Module:
sysadm
Layer:
roles
allow_ptrace
(Default: false)
Allow sysadm to debug or ptrace all processes.
Module:
xserver
Layer:
services
allow_read_x_device
(Default: true)
Allows X clients to read the x devices (keyboard/mouse)
Module:
rsync
Layer:
services
allow_rsync_anon_write
(Default: false)
Allow rsync to modify public files
used for public file transfer services. Files/Directories must be
labeled public_content_rw_t.
Module:
sasl
Layer:
services
allow_saslauthd_read_shadow
(Default: false)
Allow sasl to read shadow
Module:
samba
Layer:
services
allow_smbd_anon_write
(Default: false)
Allow samba to modify public files used for public file
transfer services. Files/Directories must be labeled
public_content_rw_t.
Module:
ssh
Layer:
services
allow_ssh_keysign
(Default: false)
allow host key based authentication
Module:
unconfined
Layer:
system
allow_unconfined_mmap_low
(Default: false)
Allow unconfined domain to map low memory in the kernel
Module:
unconfined
Layer:
system
allow_unconfined_nsplugin_transition
(Default: false)
Transition to confined nsplugin domains from unconfined user
Module:
unconfined
Layer:
system
allow_unconfined_qemu_transition
(Default: false)
Transition to confined qemu domains from unconfined user
Module:
userdomain
Layer:
system
allow_user_postgresql_connect
(Default: false)
Allow users to connect to PostgreSQL
Module:
xserver
Layer:
services
allow_write_xshm
(Default: false)
Allows clients to write to the X server shared
memory segments.
Module:
xserver
Layer:
services
allow_xserver_execmem
(Default: false)
Allows XServer to execute writable memory
Global
allow_ypbind
(Default: false)
Allow system to run with NIS
Module:
zebra
Layer:
services
allow_zebra_write_config
(Default: false)
Allow zebra daemon to write it configuration files
Module:
cdrecord
Layer:
apps
cdrecord_read_content
(Default: false)
Allow cdrecord to read various content.
nfs, samba, removable devices, user temp
and untrusted content files
Module:
exim
Layer:
services
exim_can_connect_db
(Default: false)
Allow exim to connect to databases (postgres, mysql)
Module:
exim
Layer:
services
exim_manage_user_files
(Default: false)
Allow exim to create, read, write, and delete
unprivileged user files.
Module:
exim
Layer:
services
exim_read_user_files
(Default: false)
Allow exim to read unprivileged user files.
Module:
cron
Layer:
services
fcron_crond
(Default: false)
Enable extra rules in the cron domain
to support fcron.
Module:
ftp
Layer:
services
ftp_home_dir
(Default: false)
Allow ftp to read and write files in the user home directories
Global
global_ssp
(Default: false)
Enable reading of urandom for all domains.
This should be enabled when all programs
are compiled with ProPolice/SSP
stack smashing protection. All domains will
be allowed to read from /dev/urandom.
Module:
gpg
Layer:
apps
gpg_agent_env_file
(Default: false)
Allow usage of the gpg-agent --write-env-file option.
This also allows gpg-agent to manage user files.
Module:
apache
Layer:
services
httpd_builtin_scripting
(Default: false)
Allow httpd to use built in scripting (usually php)
Module:
apache
Layer:
services
httpd_can_network_connect
(Default: false)
Allow HTTPD scripts and modules to connect to the network
Module:
apache
Layer:
services
httpd_can_network_connect_db
(Default: false)
Allow HTTPD scripts and modules to connect to databases over the network.
Module:
apache
Layer:
services
httpd_can_network_relay
(Default: false)
Allow httpd to act as a relay
Module:
apache
Layer:
services
httpd_can_sendmail
(Default: false)
Allow http daemon to send mail
Module:
apache
Layer:
services
httpd_enable_ftp_server
(Default: false)
Allow httpd to act as a FTP server by
listening on the ftp port.
Module:
apache
Layer:
services
httpd_enable_homedirs
(Default: false)
Allow httpd to read home directories
Module:
apache
Layer:
services
httpd_execmem
(Default: false)
Allow httpd scripts and modules execmem/execstack
Module:
apache
Layer:
services
httpd_ssi_exec
(Default: false)
Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
Module:
apache
Layer:
services
httpd_tty_comm
(Default: false)
Unify HTTPD to communicate with the terminal.
Needed for entering the passphrase for certificates at
the terminal.
Module:
apache
Layer:
services
httpd_unified
(Default: false)
Unify HTTPD handling of all content files.
Module:
apache
Layer:
services
httpd_use_cifs
(Default: false)
Allow httpd to access cifs file systems
Module:
apache
Layer:
services
httpd_use_nfs
(Default: false)
Allow httpd to access nfs file systems
Module:
init
Layer:
system
init_upstart
(Default: false)
Enable support for upstart as the init program.
Module:
bind
Layer:
services
named_write_master_zones
(Default: false)
Allow BIND to write the master zone files.
Generally this is used for dynamic DNS or zone transfers.
Global
nfs_export_all_ro
(Default: false)
Allow any files/directories to be exported read/only via NFS.
Global
nfs_export_all_rw
(Default: false)
Allow any files/directories to be exported read/write via NFS.
Module:
openvpn
Layer:
services
openvpn_enable_homedirs
(Default: false)
Allow openvpn service access to users home directories
Module:
ppp
Layer:
services
pppd_can_insmod
(Default: false)
Allow pppd to load kernel modules for certain modems
Module:
ppp
Layer:
services
pppd_for_user
(Default: false)
Allow pppd to be run for a regular user
Module:
qemu
Layer:
apps
qemu_full_network
(Default: false)
Allow qemu to connect fully to the network
Module:
qemu
Layer:
apps
qemu_use_cifs
(Default: true)
Allow qemu to use cifs/Samba file systems
Module:
qemu
Layer:
apps
qemu_use_nfs
(Default: true)
Allow qemu to use nfs file systems
Global
read_default_t
(Default: false)
Allow reading of default_t files.
Global
read_untrusted_content
(Default: false)
Allow applications to read untrusted content
If this is disallowed, Internet content has
to be manually relabeled for read access to be granted
Module:
rsync
Layer:
services
rsync_export_all_ro
(Default: false)
Allow rsync to export any files/directories read only.
Module:
samba
Layer:
services
samba_domain_controller
(Default: false)
Allow samba to act as the domain controller, add users,
groups and change passwords.
Module:
samba
Layer:
services
samba_enable_home_dirs
(Default: false)
Allow samba to share users home directories.
Module:
samba
Layer:
services
samba_export_all_ro
(Default: false)
Allow samba to share any file/directory read only.
Module:
samba
Layer:
services
samba_export_all_rw
(Default: false)
Allow samba to share any file/directory read/write.
Module:
samba
Layer:
services
samba_run_unconfined
(Default: false)
Allow samba to run unconfined scripts
Module:
samba
Layer:
services
samba_share_fusefs
(Default: false)
Allow samba to export ntfs/fusefs volumes.
Module:
samba
Layer:
services
samba_share_nfs
(Default: false)
Allow samba to export NFS volumes.
Module:
postgresql
Layer:
services
sepgsql_enable_users_ddl
(Default: true)
Allow unprived users to execute DDL statement
Module:
spamassassin
Layer:
services
spamassassin_can_network
(Default: false)
Allow user spamassassin clients to use the network.
Module:
spamassassin
Layer:
services
spamd_enable_home_dirs
(Default: true)
Allow spamd to read/write user home directories.
Module:
squid
Layer:
services
squid_connect_any
(Default: false)
Allow squid to connect to all ports, not just
HTTP, FTP, and Gopher ports.
Module:
ssh
Layer:
services
ssh_sysadm_login
(Default: false)
Allow ssh logins as sysadm_r:sysadm_t
Module:
tftp
Layer:
services
tftp_anon_write
(Default: false)
Allow tftp to modify public files
used for public file transfer services.
Module:
lpd
Layer:
services
use_lpd_server
(Default: false)
Use lpd server instead of cups
Global
use_nfs_home_dirs
(Default: false)
Support NFS home directories
Global
use_samba_home_dirs
(Default: false)
Support SAMBA home directories
Module:
userdomain
Layer:
system
user_direct_mouse
(Default: false)
Allow regular users direct mouse access
Module:
netutils
Layer:
admin
user_ping
(Default: false)
Control users use of ping and traceroute
Module:
userdomain
Layer:
system
user_rw_noexattrfile
(Default: false)
Allow user to r/w files on filesystems
that do not have extended attributes (FAT, CDROM, FLOPPY)
Global
user_tcp_server
(Default: false)
Allow users to run TCP servers (bind to ports and accept connection from
the same domain and outside users) disabling this forces FTP passive mode
and may change other protocols.
Module:
userdomain
Layer:
system
user_ttyfile_stat
(Default: false)
Allow w to display everyone
Module:
virt
Layer:
services
virt_use_nfs
(Default: false)
Allow virt to manage nfs files
Module:
virt
Layer:
services
virt_use_samba
(Default: false)
Allow virt to manage cifs files
Module:
webadm
Layer:
roles
webadm_manage_user_files
(Default: false)
Allow webadm to manage files in users home directories
Module:
webadm
Layer:
roles
webadm_read_user_files
(Default: false)
Allow webadm to read files in users home directories
Global
write_untrusted_content
(Default: false)
Allow applications to write untrusted content
If this is disallowed, no Internet content
will be stored.
Module:
xserver
Layer:
services
xdm_sysadm_login
(Default: false)
Allow xdm logins as sysadm
Module:
xen
Layer:
system
xen_use_nfs
(Default: false)
Allow xen to manage nfs files
Module:
xguest
Layer:
roles
xguest_connect_network
(Default: false)
Allow xguest to configure Network Manager
Module:
xguest
Layer:
roles
xguest_mount_media
(Default: false)
Allow xguest users to mount removable media
Module:
xguest
Layer:
roles
xguest_use_bluetooth
(Default: false)
Allow xguest to use blue tooth devices
Module:
xserver
Layer:
services
xserver_object_manager
(Default: false)
Support X userspace object manager