Determine whether ABRT can modify public files used for public file transfer services.
Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts.
Determine whether abrt-handle-upload can modify public files used for public file transfer services in /var/spool/abrt-upload/.
Control if AIDE can mmap files. AIDE can be compiled with the option 'with-mmap' in which case it will attempt to mmap files while running.
Determine whether cvs can read shadow password files.
Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
Determine whether ftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether ftpd can login to local users and can read and write all files on the system, governed by DAC.
Determine whether ftpd can use CIFS used for public file transfer services.
Determine whether ftpd can use NFS used for public file transfer services.
Determine whether gssd can read generic user temporary content.
Determine whether gssd can write generic user temporary content.
Determine whether httpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether httpd can use mod_auth_pam.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether java can make its stack executable.
Determine whether kerberos is supported.
Allow the mount command to mount any directory or file.
Determine whether mplayer can make its stack executable.
Determine whether nfs can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Enable polyinstantiated directory support.
Allow raw memory device (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port) access for confined executables. This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
Determine whether rsync can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether sasl can read shadow files.
Determine whether samba can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Allow users to connect to mysql
Allow users to connect to PostgreSQL
Allows clients to write to the X server shared memory segments.
Allow system to run with NIS
Determine whether zebra daemon can manage its configuration files.
Determine whether amavis can use JIT compiler.
Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
Determine whether awstats can purge httpd log files.
Determine whether boinc can execmem/execstack.
Determine whether cdrecord can read various content. nfs, samba, removable devices, user temp and untrusted content files
Determine whether additional rules should be enabled to support acme.sh
Allow chromium to bind to tcp ports
Although not needed for regular browsing, some chrome extensions need to bind to tcp ports and accept connections.
Allow chromium to access direct rendering interface
Needed for good performance on complex sites
Grant the chromium domains manage rights on all user content
Grant the chromium domains manage rights on generic user content
Grant the chromium domains read access to all user content
Grant the chromium domains read access to generic user content
Allow chromium to read system information
Although not needed for regular browsing, this will allow chromium to update its own memory consumption based on system state, support additional debugging, detect specific devices, etc.
Allow chromium to read/write USB devices
Although not needed for regular browsing, used for debugging over usb or using FIDO U2F tokens.
Determine whether chronyd can access NIC hardware timestamping features
Determine whether clamscan can read all non-security files.
Determine whether clamscan can read user content files.
Determine whether can clamd use JIT compiler.
Determine whether Cobbler can modify public files used for public file transfer services.
Determine whether Cobbler can connect to the network using TCP.
Determine whether Cobbler can access cifs file systems.
Determine whether Cobbler can access nfs file systems.
Determine whether collectd can connect to the network using TCP.
Determine whether Condor can connect to the network using TCP.
Allow logging in and using the system from /dev/console.
Allow containers to manage cgroups. This is required for systemd to run inside containers.
Allow containers to manage all read-writable public content.
Allow container engines to mount on all non-security files.
Allow containers to read all public content.
Allow containers to use eCryptfs filesystems.
Allow containers to use NFS filesystems.
Allow containers to use CIFS filesystems.
Determine whether system cron jobs can relabel filesystem for restoring file contexts.
Grant the cryfs domains manage rights on all user content
Grant the cryfs domains manage rights on generic user content
Grant the cryfs domains read access to all user content
Grant the cryfs domains read access to generic user content
Allows legacy ld_so for old printer filters
Determine whether dbadm can manage generic user files.
Determine whether dbadm can read generic user files.
Allow dbus-daemon system bus to to run systemd transient units. This is used by dbus-broker for dbus-activated services when the unit file for the service does not exist.
Enable additional rules to support using dbus-broker as the dbus-daemon system bus.
Allow dbus-daemon system bus to access /dev/net/tun which is needed to pass tun/tap device file descriptors over D-Bus. This is needed by openvpn3-linux.
Determine whether DHCP client can manage samba
Determine whether DHCP daemon can use LDAP backends.
Determine whether dovecot can connect to databases.
Determine whether entropyd can use audio devices as the source for the entropy feeds.
Grant the evolution domains manage rights on all user content
Grant the evolution domains manage rights on generic user content
Allow evolution to create and write user certificates in addition to being able to read them
Grant the evolution domains read access to all user content
Grant the evolution domains read access to generic user content
Determine whether exim can connect to databases.
Determine whether exim can create, read, write, and delete generic user content files.
Determine whether exim can read generic user content files.
Grant the firstboot domains manage rights on all user content
Grant the firstboot domains manage rights on generic user content
Grant the firstboot domains read access to all user content
Grant the firstboot domains read access to generic user content
Determine whether ftpd can read and write files in user home directories.
Determine whether ftpd can connect to all unreserved ports.
Determine whether ftpd can connect to databases over the TCP network.
Determine whether ftpd can bind to all unreserved ports for passive mode.
Determine whether Git CGI can search home directories.
Determine whether Git CGI can access cifs file systems.
Determine whether Git CGI can access nfs file systems.
Determine whether Git client domains can manage all user home content, including application-specific data.
Determine whether Git session daemon can bind TCP sockets to all unreserved ports.
Determine whether Git session daemons can send syslog messages.
Determine whether calling user domains can execute Git daemon in the git_session_t domain.
Determine whether Git system daemon can search home directories.
Determine whether Git system daemon can access cifs file systems.
Determine whether Git system daemon can access nfs file systems.
Determine whether Gitosis can send mail.
Enable reading of urandom for all domains.
This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.
Allow the gluster daemon to automatically add and remove file contexts from the local SELinux policy when adding and removing bricks.
Determine whether GPG agent can manage generic user home content files. This is required by the --write-env-file option.
Determine whether GPG agent can use OpenPGP cards or Yubikeys over USB
Grant the gpg domains manage rights on all user content
Grant the gpg domains manage rights on generic user content
Grant the gpg domains read access to all user content
Grant the gpg domains read access to generic user content
Determine whether guest can configure network manager.
Determine whether httpd can use built in scripting.
Determine whether httpd can check spam.
Determine whether httpd scripts and modules can connect to the network using TCP.
Determine whether httpd scripts and modules can connect to cobbler over the network.
Determine whether scripts and modules can connect to databases over the network.
Determine whether httpd can connect to ldap over the network.
Determine whether httpd can connect to memcache server over the network.
Determine whether httpd daemon can connect to zabbix over the network.
Determine whether httpd can act as a relay.
Determine whether httpd can send mail.
Determine whether httpd can communicate with avahi service via dbus.
Determine whether httpd can use support.
Determine whether httpd can act as a FTP server by listening on the ftp port.
Determine whether httpd can traverse user home directories.
Determine whether httpd scripts and modules can use execmem and execstack.
Determine whether httpd gpg can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether httpd can connect to port 80 for graceful shutdown.
Determine whether httpd can manage IPA content files.
Determine whether httpd can use mod_auth_ntlm_winbind.
Determine whether httpd can read generic user home content files.
Determine whether httpd can change its resource limits.
Determine whether httpd can run SSI executables in the same domain as system CGI scripts.
Determine whether httpd can execute its temporary content.
Determine whether httpd can communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.
Determine whether httpd can have full access to its content types.
Determine whether httpd can use cifs file systems.
Determine whether httpd can use fuse file systems.
Determine whether httpd can use nfs file systems.
Grant the i18n_input domains read access to generic user content
Determine whether icecast can listen on and connect to any TCP port.
Enable systemd to create mountpoints.
Allow all daemons the ability to read/write terminals
Enable systemd to mount on all non-security files.
Enable support for upstart as the init program.
Grant the irc domains manage rights on all user content
Grant the irc domains manage rights on generic user content
Grant the irc domains read access to all user content
Grant the irc domains read access to generic user content
Determine whether irc clients can listen on and connect to any unreserved TCP ports.
Grant the java domains manage rights on all user content
Grant the java domains manage rights on generic user content
Grant the java domains read access to all user content
Grant the java domains read access to generic user content
Determine whether libmtp can read and manage the user home directories and files.
Determine whether logwatch can connect to mail over the network.
Allow email client to various content. nfs, samba, removable devices, and user temp files
Determine whether Matrixd is allowed to federate (bind all UDP ports and connect to all TCP ports).
Determine whether Matrixd can connect to the Postgres database.
Determine whether mcelog supports client mode.
Determine whether mcelog can execute scripts.
Determine whether mcelog can use all the user ttys.
Determine whether mcelog supports server mode.
Determine whether minidlna can read generic user content.
Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
Allow monit to start/stop services
Determine whether mozilla can make its stack executable.
Grant the mozilla domains manage rights on all user content
Grant the mozilla domains manage rights on generic user content
Grant the mozilla domains read access to all user content
Grant the mozilla domains read access to generic user content
Determine whether mpd can traverse user home directories.
Determine whether mpd can use cifs file systems.
Determine whether mpd can use nfs file systems.
Grant the mplayer domains manage rights on all user content
Grant the mplayer domains manage rights on generic user content
Grant the mplayer_mencoder domains manage rights on all user content
Grant the mplayer_mencoder domains manage rights on generic user content
Grant the mplayer_mencoder domains read access to all user content
Grant the mplayer_mencoder domains read access to generic user content
Grant the mplayer domains read access to all user content
Grant the mplayer domains read access to generic user content
Determine whether mysqld can connect to all TCP ports.
Determine whether Bind can bind tcp socket to http ports.
Determine whether Bind can write to master zone files. Generally this is used for dynamic DNS or zone transfers.
Allow any files/directories to be exported read/only via NFS.
Allow any files/directories to be exported read/write via NFS.
Determine whether confined applications can use nscd shared memory.
Determine whether obfs4proxy can bind tcp sockets to all unreserved ports.
Determine whether obfs4proxy can bind tcp sockets to all http ports.
Determine whether openoffice writer can send emails directly (print to email). This is different from the functionality of sending emails through external clients which is always enabled.
Determine whether openoffice can download software updates from the network (application and/or extensions).
Grant the openoffice domains manage rights on all user content
Grant the openoffice domains manage rights on generic user content
Grant the openoffice domains read access to all user content
Grant the openoffice domains read access to generic user content
Determine whether openvpn can connect to the TCP network.
Determine whether openvpn can read generic user home content files.
Allow pacemaker to start/stop services
Determine whether portage can use nfs filesystems.
Determine whether postfix local can manage mail spool content.
Grant the postfix domains manage rights on all user content
Grant the postfix domains manage rights on generic user content
Grant the postfix domains read access to all user content
Grant the postfix domains read access to generic user content
Determine whether pppd can load kernel modules.
Determine whether common users can run pppd with a domain transition.
Determine whether privoxy can connect to all tcp ports.
Allow pulseaudio to execute code in writable memory
Determine whether puppet can manage all non-security files.
Determine whether qemu has full access to the network.
Determine whether rkhunter can connect to http ports. This is required by the --update option.
Determine whether extra rules should be enabled to support rspamd.
Determine whether rsync can run as a client
Determine whether rsync can export all content read only.
Determine whether rsync can use cifs file systems.
Determine whether rsync can use fuse file systems.
Determine whether rsync can use nfs file systems.
Determine whether samba can create home directories via pam.
Determine whether samba can act as the domain controller, add users, groups and change passwords.
Determine whether samba can share users home directories.
Determine whether samba can share any content read only.
Determine whether samba can share any content readable and writable.
Determine whether samba can act as a portmapper.
Determine whether smbd_t can read shadow files.
Determine whether samba can run unconfined scripts.
Determine whether samba can use fuse file systems.
Determine whether samba can use nfs file systems.
Determine whether sanlock can use nfs file systems.
Determine whether sanlock can use cifs file systems.
Allow unprived users to execute DDL statement
Allow transmit client label to foreign database
Allow database admins to execute DML statement
Determine whether sftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether sftpd-can read and write files in user home directories.
Determine whether sftpd-can login to local users and read and write all files on the system, governed by DAC.
Determine whether sftpd can read and write files in user ssh home directories.
Determine whether the user application exec domain attribute should be respected for shutdown access. If not enabled, only user domains themselves may use shutdown.
Determine whether smartmon can support devices on 3ware controllers.
Determine whether spamassassin clients can use the network.
Determine whether spamd can manage generic user home content.
Determine whether squid can connect to all TCP ports.
Determine whether squid can use the pinger daemon (needs raw net access)
Determine whether squid can run as a transparent proxy.
Determine whether the user application exec domain attribute should be respected for su access. If not enabled, only user domains themselves may use su.
Determine whether all sudo domains can connect to TCP HTTP ports. This is needed if an additional authentication mechanism via an HTTP server is required for users to use sudo.
Determine whether the user application exec domain attribute should be respected for sudo access. If not enabled, only user domains themselves may use sudo.
Grant the syncthing domains manage rights on all user content
Grant the syncthing domains manage rights on generic user content
Grant the syncthing domains read access to all user content
Grant the syncthing domains read access to generic user content
Allow systemd-logind to interact with the bootloader (read which one is installed on fixed disks, enumerate entries for dbus property BootLoaderEntries, etc.)
Allow systemd-networkd to run its DHCPd server component
Allow systemd-nspawn to create a labelled namespace with the same types as parent environment
Allow systemd-socket-proxyd to bind any port instead of one labelled with systemd_socket_proxyd_port_t.
Allow systemd-socket-proxyd to connect to any port instead of labelled ones.
Enable support for systemd-tmpfiles to manage all non-security files.
Determine whether telepathy connection managers can connect to any port.
Determine whether telepathy connection managers can connect to generic tcp ports.
Determine whether tftp can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Determine whether tftp can manage generic user home content.
Grant the thunderbird domains manage rights on all user content
Grant the thunderbird domains manage rights on generic user content
Grant the thunderbird domains read access to all user content
Grant the thunderbird domains read access to generic user content
Determine whether tor can bind tcp sockets to all unreserved ports.
Determine whether authorized users can control the daemon, which requires usbguard-daemon to be able modify its rules in /etc/usbguard.
Determine whether to support lpd server.
Support NFS home directories
Support SAMBA home directories
Allow regular users direct mouse access
Allow user to execute files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)
Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)
Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.
Allow users to run UDP servers (bind to ports and accept connection from the same domain and outside users)
Allow user to write files on removable devices (e.g. external USB memory devices or floppies)
Determine whether varnishd can use the full TCP network.
Determine whether attempts by vbetool to mmap low regions should be silently blocked.
Determine whether confined virtual guests can use serial/parallel communication ports.
Determine whether confined virtual guests can use input devices via evdev pass through.
Determine whether confined virtual guests can use executable memory and can make their stack executable.
Determine whether confined virtual guests can use fuse file systems.
Determine whether confined virtual guests can use nfs file systems.
Determine whether confined virtual guests can use cifs file systems.
Determine whether confined virtual guests can manage device configuration.
Determine whether confined virtual guests can use usb devices.
Determine whether confined virtual guests can use vfio for pci device pass through (vt-d).
Determine whether confined virtual guests can interact with xserver.
Determine whether webadm can manage generic user files.
Determine whether webadm can read generic user files.
Determine whether attempts by wine to mmap low regions should be silently blocked.
Grant the wireshark domains manage rights on all user content
Grant the wireshark domains manage rights on generic user content
Grant the wireshark domains read access to all user content
Grant the wireshark domains read access to generic user content
Grant the window manager domains write access to xdg data
Determine whether xen can use fusefs file systems.
Determine whether xen can use nfs file systems.
Determine whether xen can use samba file systems.
Determine whether xend can run blktapctrl and tapdisk.
Determine whether xguest can configure network manager.
Determine whether xguest can mount removable media.
Determine whether xguest can use blue tooth devices.
Grant the xscreensaver domains read access to generic user content
Use gnome-shell in gdm mode as the X Display Manager (XDM)