Master tunable index:

Module: abrt

Layer: services

abrt_anon_write (Default: false)

Determine whether ABRT can modify public files used for public file transfer services.

Module: abrt

Layer: services

abrt_handle_event (Default: false)

Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts.

Module: abrt

Layer: services

abrt_upload_watch_anon_write (Default: true)

Determine whether abrt-handle-upload can modify public files used for public file transfer services in /var/spool/abrt-upload/.

Module: aide

Layer: admin

aide_mmap_files (Default: false)

Control if AIDE can mmap files. AIDE can be compiled with the option 'with-mmap' in which case it will attempt to mmap files while running.

Module: cvs

Layer: services

allow_cvs_read_shadow (Default: false)

Determine whether cvs can read shadow password files.

Global
allow_execheap (Default: false)

Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Global
allow_execmem (Default: false)

Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

Global
allow_execmod (Default: false)

Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")

Global
allow_execstack (Default: false)

Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")

Module: ftp

Layer: services

allow_ftpd_anon_write (Default: false)

Determine whether ftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: ftp

Layer: services

allow_ftpd_full_access (Default: false)

Determine whether ftpd can login to local users and can read and write all files on the system, governed by DAC.

Module: ftp

Layer: services

allow_ftpd_use_cifs (Default: false)

Determine whether ftpd can use CIFS used for public file transfer services.

Module: ftp

Layer: services

allow_ftpd_use_nfs (Default: false)

Determine whether ftpd can use NFS used for public file transfer services.

Module: rpc

Layer: services

allow_gssd_read_tmp (Default: false)

Determine whether gssd can read generic user temporary content.

Module: rpc

Layer: services

allow_gssd_write_tmp (Default: false)

Determine whether gssd can write generic user temporary content.

Module: apache

Layer: services

allow_httpd_anon_write (Default: false)

Determine whether httpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apcupsd

Layer: services

allow_httpd_apcupsd_cgi_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: awstats

Layer: apps

allow_httpd_awstats_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: bugzilla

Layer: services

allow_httpd_bugzilla_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: collectd

Layer: services

allow_httpd_collectd_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: cvs

Layer: services

allow_httpd_cvs_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: git

Layer: services

allow_httpd_git_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: lightsquid

Layer: apps

allow_httpd_lightsquid_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: man2html

Layer: apps

allow_httpd_man2html_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: mediawiki

Layer: services

allow_httpd_mediawiki_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: services

allow_httpd_mod_auth_pam (Default: false)

Determine whether httpd can use mod_auth_pam.

Module: mojomojo

Layer: services

allow_httpd_mojomojo_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: munin

Layer: services

allow_httpd_munin_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: nagios

Layer: services

allow_httpd_nagios_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: nut

Layer: services

allow_httpd_nutups_cgi_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: prelude

Layer: services

allow_httpd_prewikka_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: smokeping

Layer: services

allow_httpd_smokeping_cgi_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: squid

Layer: services

allow_httpd_squid_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: services

allow_httpd_sys_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: services

allow_httpd_unconfined_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: services

allow_httpd_user_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: webalizer

Layer: apps

allow_httpd_webalizer_script_anon_write (Default: false)

Determine whether the script domain can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: java

Layer: apps

allow_java_execstack (Default: false)

Determine whether java can make its stack executable.

Module: kerberos

Layer: services

allow_kerberos (Default: false)

Determine whether kerberos is supported.

Module: mount

Layer: system

allow_mount_anyfile (Default: false)

Allow the mount command to mount any directory or file.

Module: mplayer

Layer: apps

allow_mplayer_execstack (Default: false)

Determine whether mplayer can make its stack executable.

Module: rpc

Layer: services

allow_nfsd_anon_write (Default: false)

Determine whether nfs can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Global
allow_polyinstantiation (Default: false)

Enable polyinstantiated directory support.

Global
allow_raw_memory_access (Default: false)

Allow raw memory device (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port) access for confined executables. This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.

Module: rsync

Layer: services

allow_rsync_anon_write (Default: false)

Determine whether rsync can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: sasl

Layer: services

allow_saslauthd_read_shadow (Default: false)

Determine whether sasl can read shadow files.

Module: samba

Layer: services

allow_smbd_anon_write (Default: false)

Determine whether samba can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: ssh

Layer: services

allow_ssh_keysign (Default: false)

allow host key based authentication

Module: userdomain

Layer: system

allow_user_mysql_connect (Default: false)

Allow users to connect to mysql

Module: userdomain

Layer: system

allow_user_postgresql_connect (Default: false)

Allow users to connect to PostgreSQL

Module: xserver

Layer: services

allow_write_xshm (Default: false)

Allows clients to write to the X server shared memory segments.

Global
allow_ypbind (Default: false)

Allow system to run with NIS

Module: zebra

Layer: services

allow_zebra_write_config (Default: false)

Determine whether zebra daemon can manage its configuration files.

Module: amavis

Layer: services

amavis_use_jit (Default: false)

Determine whether amavis can use JIT compiler.

Module: authlogin

Layer: system

authlogin_nsswitch_use_ldap (Default: false)

Allow users to resolve user passwd entries directly from ldap rather then using a sssd server

Module: authlogin

Layer: system

authlogin_pam (Default: true)

Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.

Module: awstats

Layer: apps

awstats_purge_apache_log_files (Default: false)

Determine whether awstats can purge httpd log files.

Module: boinc

Layer: services

boinc_execmem (Default: true)

Determine whether boinc can execmem/execstack.

Module: boinc

Layer: services

boinc_gpu (Default: true)

Determine whether boinc can access X/GPU

Module: cdrecord

Layer: apps

cdrecord_read_content (Default: false)

Determine whether cdrecord can read various content. nfs, samba, removable devices, user temp and untrusted content files

Module: certbot

Layer: services

certbot_acmesh (Default: false)

Determine whether additional rules should be enabled to support acme.sh

Module: chromium

Layer: apps

chromium_bind_tcp_unreserved_ports (Default: false)

Allow chromium to bind to tcp ports

Although not needed for regular browsing, some chrome extensions need to bind to tcp ports and accept connections.

Module: chromium

Layer: apps

chromium_dri (Default: true)

Allow chromium to access direct rendering interface

Needed for good performance on complex sites

Module: chromium

Layer: apps

chromium_manage_all_user_content (Default: false)

Grant the chromium domains manage rights on all user content

Module: chromium

Layer: apps

chromium_manage_generic_user_content (Default: false)

Grant the chromium domains manage rights on generic user content

Module: chromium

Layer: apps

chromium_read_all_user_content (Default: false)

Grant the chromium domains read access to all user content

Module: chromium

Layer: apps

chromium_read_generic_user_content (Default: true)

Grant the chromium domains read access to generic user content

Module: chromium

Layer: apps

chromium_read_system_info (Default: false)

Allow chromium to read system information

Although not needed for regular browsing, this will allow chromium to update its own memory consumption based on system state, support additional debugging, detect specific devices, etc.

Module: chromium

Layer: apps

chromium_rw_usb_dev (Default: false)

Allow chromium to read/write USB devices

Although not needed for regular browsing, used for debugging over usb or using FIDO U2F tokens.

Module: chronyd

Layer: services

chronyd_hwtimestamp (Default: false)

Determine whether chronyd can access NIC hardware timestamping features

Module: clamav

Layer: services

clamav_read_all_non_security_files_clamscan (Default: false)

Determine whether clamscan can read all non-security files.

Module: clamav

Layer: services

clamav_read_user_content_files_clamscan (Default: false)

Determine whether clamscan can read user content files.

Module: clamav

Layer: services

clamd_use_jit (Default: false)

Determine whether can clamd use JIT compiler.

Module: cobbler

Layer: services

cobbler_anon_write (Default: false)

Determine whether Cobbler can modify public files used for public file transfer services.

Module: cobbler

Layer: services

cobbler_can_network_connect (Default: false)

Determine whether Cobbler can connect to the network using TCP.

Module: cobbler

Layer: services

cobbler_use_cifs (Default: false)

Determine whether Cobbler can access cifs file systems.

Module: cobbler

Layer: services

cobbler_use_nfs (Default: false)

Determine whether Cobbler can access nfs file systems.

Module: collectd

Layer: services

collectd_tcp_network_connect (Default: false)

Determine whether collectd can connect to the network using TCP.

Module: condor

Layer: services

condor_tcp_network_connect (Default: false)

Determine whether Condor can connect to the network using TCP.

Global
console_login (Default: true)

Allow logging in and using the system from /dev/console.

Module: container

Layer: services

container_manage_cgroup (Default: false)

Allow containers to manage cgroups. This is required for systemd to run inside containers.

Module: container

Layer: services

container_manage_public_content (Default: false)

Allow containers to manage all read-writable public content.

Module: container

Layer: services

container_mounton_non_security (Default: false)

Allow container engines to mount on all non-security files.

Module: container

Layer: services

container_read_public_content (Default: false)

Allow containers to read all public content.

Module: container

Layer: services

container_use_ecryptfs (Default: false)

Allow containers to use eCryptfs filesystems.

Module: container

Layer: services

container_use_nfs (Default: false)

Allow containers to use NFS filesystems.

Module: container

Layer: services

container_use_samba (Default: false)

Allow containers to use CIFS filesystems.

Module: cron

Layer: services

cron_can_relabel (Default: false)

Determine whether system cron jobs can relabel filesystem for restoring file contexts.

Module: cryfs

Layer: apps

cryfs_manage_all_user_content (Default: false)

Grant the cryfs domains manage rights on all user content

Module: cryfs

Layer: apps

cryfs_manage_generic_user_content (Default: false)

Grant the cryfs domains manage rights on generic user content

Module: cryfs

Layer: apps

cryfs_read_all_user_content (Default: false)

Grant the cryfs domains read access to all user content

Module: cryfs

Layer: apps

cryfs_read_generic_user_content (Default: true)

Grant the cryfs domains read access to generic user content

Module: cups

Layer: services

cups_legacy_ldso (Default: false)

Allows legacy ld_so for old printer filters

Module: dbadm

Layer: roles

dbadm_manage_user_files (Default: false)

Determine whether dbadm can manage generic user files.

Module: dbadm

Layer: roles

dbadm_read_user_files (Default: false)

Determine whether dbadm can read generic user files.

Module: dbus

Layer: services

dbus_broker_run_transient_units (Default: false)

Allow dbus-daemon system bus to to run systemd transient units. This is used by dbus-broker for dbus-activated services when the unit file for the service does not exist.

Module: dbus

Layer: services

dbus_broker_system_bus (Default: false)

Enable additional rules to support using dbus-broker as the dbus-daemon system bus.

Module: dbus

Layer: services

dbus_pass_tuntap_fd (Default: false)

Allow dbus-daemon system bus to access /dev/net/tun which is needed to pass tun/tap device file descriptors over D-Bus. This is needed by openvpn3-linux.

Module: sysnetwork

Layer: system

dhcpc_manage_samba (Default: false)

Determine whether DHCP client can manage samba

Module: dhcp

Layer: services

dhcpd_use_ldap (Default: false)

Determine whether DHCP daemon can use LDAP backends.

Module: dovecot

Layer: services

dovecot_can_connect_db (Default: false)

Determine whether dovecot can connect to databases.

Module: entropyd

Layer: services

entropyd_use_audio (Default: false)

Determine whether entropyd can use audio devices as the source for the entropy feeds.

Module: evolution

Layer: apps

evolution_manage_all_user_content (Default: false)

Grant the evolution domains manage rights on all user content

Module: evolution

Layer: apps

evolution_manage_generic_user_content (Default: false)

Grant the evolution domains manage rights on generic user content

Module: evolution

Layer: apps

evolution_manage_user_certs (Default: false)

Allow evolution to create and write user certificates in addition to being able to read them

Module: evolution

Layer: apps

evolution_read_all_user_content (Default: false)

Grant the evolution domains read access to all user content

Module: evolution

Layer: apps

evolution_read_generic_user_content (Default: true)

Grant the evolution domains read access to generic user content

Module: exim

Layer: services

exim_can_connect_db (Default: false)

Determine whether exim can connect to databases.

Module: exim

Layer: services

exim_manage_user_files (Default: false)

Determine whether exim can create, read, write, and delete generic user content files.

Module: exim

Layer: services

exim_read_user_files (Default: false)

Determine whether exim can read generic user content files.

Module: firstboot

Layer: admin

firstboot_manage_all_user_content (Default: false)

Grant the firstboot domains manage rights on all user content

Module: firstboot

Layer: admin

firstboot_manage_generic_user_content (Default: false)

Grant the firstboot domains manage rights on generic user content

Module: firstboot

Layer: admin

firstboot_read_all_user_content (Default: false)

Grant the firstboot domains read access to all user content

Module: firstboot

Layer: admin

firstboot_read_generic_user_content (Default: true)

Grant the firstboot domains read access to generic user content

Module: ftp

Layer: services

ftp_home_dir (Default: false)

Determine whether ftpd can read and write files in user home directories.

Module: ftp

Layer: services

ftpd_connect_all_unreserved (Default: false)

Determine whether ftpd can connect to all unreserved ports.

Module: ftp

Layer: services

ftpd_connect_db (Default: false)

Determine whether ftpd can connect to databases over the TCP network.

Module: ftp

Layer: services

ftpd_use_passive_mode (Default: false)

Determine whether ftpd can bind to all unreserved ports for passive mode.

Module: git

Layer: services

git_cgi_enable_homedirs (Default: false)

Determine whether Git CGI can search home directories.

Module: git

Layer: services

git_cgi_use_cifs (Default: false)

Determine whether Git CGI can access cifs file systems.

Module: git

Layer: services

git_cgi_use_nfs (Default: false)

Determine whether Git CGI can access nfs file systems.

Module: git

Layer: services

git_client_manage_all_user_home_content (Default: false)

Determine whether Git client domains can manage all user home content, including application-specific data.

Module: git

Layer: services

git_session_bind_all_unreserved_ports (Default: false)

Determine whether Git session daemon can bind TCP sockets to all unreserved ports.

Module: git

Layer: services

git_session_send_syslog_msg (Default: false)

Determine whether Git session daemons can send syslog messages.

Module: git

Layer: services

git_session_users (Default: false)

Determine whether calling user domains can execute Git daemon in the git_session_t domain.

Module: git

Layer: services

git_system_enable_homedirs (Default: false)

Determine whether Git system daemon can search home directories.

Module: git

Layer: services

git_system_use_cifs (Default: false)

Determine whether Git system daemon can access cifs file systems.

Module: git

Layer: services

git_system_use_nfs (Default: false)

Determine whether Git system daemon can access nfs file systems.

Module: gitosis

Layer: apps

gitosis_can_sendmail (Default: false)

Determine whether Gitosis can send mail.

Global
global_ssp (Default: false)

Enable reading of urandom for all domains.

This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.

Module: glusterfs

Layer: services

glusterfs_modify_policy (Default: false)

Allow the gluster daemon to automatically add and remove file contexts from the local SELinux policy when adding and removing bricks.

Module: gpg

Layer: apps

gpg_agent_env_file (Default: false)

Determine whether GPG agent can manage generic user home content files. This is required by the --write-env-file option.

Module: gpg

Layer: apps

gpg_agent_use_card (Default: false)

Determine whether GPG agent can use OpenPGP cards or Yubikeys over USB

Module: gpg

Layer: apps

gpg_manage_all_user_content (Default: false)

Grant the gpg domains manage rights on all user content

Module: gpg

Layer: apps

gpg_manage_generic_user_content (Default: false)

Grant the gpg domains manage rights on generic user content

Module: gpg

Layer: apps

gpg_read_all_user_content (Default: false)

Grant the gpg domains read access to all user content

Module: gpg

Layer: apps

gpg_read_generic_user_content (Default: true)

Grant the gpg domains read access to generic user content

Module: guest

Layer: roles

guest_connect_network (Default: false)

Determine whether guest can configure network manager.

Module: apache

Layer: services

httpd_builtin_scripting (Default: false)

Determine whether httpd can use built in scripting.

Module: apache

Layer: services

httpd_can_check_spam (Default: false)

Determine whether httpd can check spam.

Module: apache

Layer: services

httpd_can_network_connect (Default: false)

Determine whether httpd scripts and modules can connect to the network using TCP.

Module: apache

Layer: services

httpd_can_network_connect_cobbler (Default: false)

Determine whether httpd scripts and modules can connect to cobbler over the network.

Module: apache

Layer: services

httpd_can_network_connect_db (Default: false)

Determine whether scripts and modules can connect to databases over the network.

Module: apache

Layer: services

httpd_can_network_connect_ldap (Default: false)

Determine whether httpd can connect to ldap over the network.

Module: apache

Layer: services

httpd_can_network_connect_memcache (Default: false)

Determine whether httpd can connect to memcache server over the network.

Module: apache

Layer: services

httpd_can_network_connect_zabbix (Default: false)

Determine whether httpd daemon can connect to zabbix over the network.

Module: apache

Layer: services

httpd_can_network_relay (Default: false)

Determine whether httpd can act as a relay.

Module: apache

Layer: services

httpd_can_sendmail (Default: false)

Determine whether httpd can send mail.

Module: apache

Layer: services

httpd_dbus_avahi (Default: false)

Determine whether httpd can communicate with avahi service via dbus.

Module: apache

Layer: services

httpd_enable_cgi (Default: false)

Determine whether httpd can use support.

Module: apache

Layer: services

httpd_enable_ftp_server (Default: false)

Determine whether httpd can act as a FTP server by listening on the ftp port.

Module: apache

Layer: services

httpd_enable_homedirs (Default: false)

Determine whether httpd can traverse user home directories.

Module: apache

Layer: services

httpd_execmem (Default: false)

Determine whether httpd scripts and modules can use execmem and execstack.

Module: apache

Layer: services

httpd_gpg_anon_write (Default: false)

Determine whether httpd gpg can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: services

httpd_graceful_shutdown (Default: false)

Determine whether httpd can connect to port 80 for graceful shutdown.

Module: apache

Layer: services

httpd_manage_ipa (Default: false)

Determine whether httpd can manage IPA content files.

Module: apache

Layer: services

httpd_mod_auth_ntlm_winbind (Default: false)

Determine whether httpd can use mod_auth_ntlm_winbind.

Module: apache

Layer: services

httpd_read_user_content (Default: false)

Determine whether httpd can read generic user home content files.

Module: apache

Layer: services

httpd_setrlimit (Default: false)

Determine whether httpd can change its resource limits.

Module: apache

Layer: services

httpd_ssi_exec (Default: false)

Determine whether httpd can run SSI executables in the same domain as system CGI scripts.

Module: apache

Layer: services

httpd_tmp_exec (Default: false)

Determine whether httpd can execute its temporary content.

Module: apache

Layer: services

httpd_tty_comm (Default: false)

Determine whether httpd can communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.

Module: apache

Layer: services

httpd_unified (Default: false)

Determine whether httpd can have full access to its content types.

Module: apache

Layer: services

httpd_use_cifs (Default: false)

Determine whether httpd can use cifs file systems.

Module: apache

Layer: services

httpd_use_fusefs (Default: false)

Determine whether httpd can use fuse file systems.

Module: apache

Layer: services

httpd_use_gpg (Default: false)

Determine whether httpd can use gpg.

Module: apache

Layer: services

httpd_use_nfs (Default: false)

Determine whether httpd can use nfs file systems.

Module: i18n_input

Layer: services

i18n_input_read_generic_user_content (Default: true)

Grant the i18n_input domains read access to generic user content

Module: icecast

Layer: services

icecast_use_any_tcp_ports (Default: false)

Determine whether icecast can listen on and connect to any TCP port.

Module: init

Layer: system

init_create_mountpoints (Default: false)

Enable systemd to create mountpoints.

Module: init

Layer: system

init_daemons_use_tty (Default: false)

Allow all daemons the ability to read/write terminals

Module: init

Layer: system

init_mounton_non_security (Default: false)

Enable systemd to mount on all non-security files.

Module: init

Layer: system

init_upstart (Default: false)

Enable support for upstart as the init program.

Module: irc

Layer: apps

irc_manage_all_user_content (Default: false)

Grant the irc domains manage rights on all user content

Module: irc

Layer: apps

irc_manage_generic_user_content (Default: false)

Grant the irc domains manage rights on generic user content

Module: irc

Layer: apps

irc_read_all_user_content (Default: false)

Grant the irc domains read access to all user content

Module: irc

Layer: apps

irc_read_generic_user_content (Default: true)

Grant the irc domains read access to generic user content

Module: irc

Layer: apps

irc_use_any_tcp_ports (Default: false)

Determine whether irc clients can listen on and connect to any unreserved TCP ports.

Module: java

Layer: apps

java_manage_all_user_content (Default: false)

Grant the java domains manage rights on all user content

Module: java

Layer: apps

java_manage_generic_user_content (Default: false)

Grant the java domains manage rights on generic user content

Module: java

Layer: apps

java_read_all_user_content (Default: false)

Grant the java domains read access to all user content

Module: java

Layer: apps

java_read_generic_user_content (Default: true)

Grant the java domains read access to generic user content

Module: libmtp

Layer: apps

libmtp_enable_home_dirs (Default: false)

Determine whether libmtp can read and manage the user home directories and files.

Module: logwatch

Layer: admin

logwatch_can_network_connect_mail (Default: false)

Determine whether logwatch can connect to mail over the network.

Global
mail_read_content (Default: false)

Allow email client to various content. nfs, samba, removable devices, and user temp files

Module: matrixd

Layer: services

matrix_allow_federation (Default: true)

Determine whether Matrixd is allowed to federate (bind all UDP ports and connect to all TCP ports).

Module: matrixd

Layer: services

matrix_postgresql_connect (Default: false)

Determine whether Matrixd can connect to the Postgres database.

Module: mcelog

Layer: admin

mcelog_client (Default: false)

Determine whether mcelog supports client mode.

Module: mcelog

Layer: admin

mcelog_exec_scripts (Default: true)

Determine whether mcelog can execute scripts.

Module: mcelog

Layer: admin

mcelog_foreground (Default: false)

Determine whether mcelog can use all the user ttys.

Module: mcelog

Layer: admin

mcelog_server (Default: false)

Determine whether mcelog supports server mode.

Module: mcelog

Layer: admin

mcelog_syslog (Default: false)

Determine whether mcelog can use syslog.

Module: minidlna

Layer: services

minidlna_read_generic_user_content (Default: false)

Determine whether minidlna can read generic user content.

Module: domain

Layer: kernel

mmap_low_allowed (Default: false)

Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.

Module: monit

Layer: services

monit_startstop_services (Default: false)

Allow monit to start/stop services

Module: mozilla

Layer: apps

mozilla_execstack (Default: false)

Determine whether mozilla can make its stack executable.

Module: mozilla

Layer: apps

mozilla_manage_all_user_content (Default: false)

Grant the mozilla domains manage rights on all user content

Module: mozilla

Layer: apps

mozilla_manage_generic_user_content (Default: false)

Grant the mozilla domains manage rights on generic user content

Module: mozilla

Layer: apps

mozilla_read_all_user_content (Default: false)

Grant the mozilla domains read access to all user content

Module: mozilla

Layer: apps

mozilla_read_generic_user_content (Default: true)

Grant the mozilla domains read access to generic user content

Module: mpd

Layer: services

mpd_enable_homedirs (Default: false)

Determine whether mpd can traverse user home directories.

Module: mpd

Layer: services

mpd_use_cifs (Default: false)

Determine whether mpd can use cifs file systems.

Module: mpd

Layer: services

mpd_use_nfs (Default: false)

Determine whether mpd can use nfs file systems.

Module: mplayer

Layer: apps

mplayer_manage_all_user_content (Default: false)

Grant the mplayer domains manage rights on all user content

Module: mplayer

Layer: apps

mplayer_manage_generic_user_content (Default: false)

Grant the mplayer domains manage rights on generic user content

Module: mplayer

Layer: apps

mplayer_mencoder_manage_all_user_content (Default: false)

Grant the mplayer_mencoder domains manage rights on all user content

Module: mplayer

Layer: apps

mplayer_mencoder_manage_generic_user_content (Default: false)

Grant the mplayer_mencoder domains manage rights on generic user content

Module: mplayer

Layer: apps

mplayer_mencoder_read_all_user_content (Default: false)

Grant the mplayer_mencoder domains read access to all user content

Module: mplayer

Layer: apps

mplayer_mencoder_read_generic_user_content (Default: true)

Grant the mplayer_mencoder domains read access to generic user content

Module: mplayer

Layer: apps

mplayer_read_all_user_content (Default: false)

Grant the mplayer domains read access to all user content

Module: mplayer

Layer: apps

mplayer_read_generic_user_content (Default: true)

Grant the mplayer domains read access to generic user content

Module: mysql

Layer: services

mysql_connect_any (Default: false)

Determine whether mysqld can connect to all TCP ports.

Module: bind

Layer: services

named_tcp_bind_http_port (Default: false)

Determine whether Bind can bind tcp socket to http ports.

Module: bind

Layer: services

named_write_master_zones (Default: false)

Determine whether Bind can write to master zone files. Generally this is used for dynamic DNS or zone transfers.

Global
nfs_export_all_ro (Default: false)

Allow any files/directories to be exported read/only via NFS.

Global
nfs_export_all_rw (Default: false)

Allow any files/directories to be exported read/write via NFS.

Module: nscd

Layer: services

nscd_use_shm (Default: false)

Determine whether confined applications can use nscd shared memory.

Module: obfs4proxy

Layer: services

obfs4proxy_bind_all_unreserved_ports (Default: false)

Determine whether obfs4proxy can bind tcp sockets to all unreserved ports.

Module: obfs4proxy

Layer: services

obfs4proxy_bind_http_ports (Default: false)

Determine whether obfs4proxy can bind tcp sockets to all http ports.

Module: openoffice

Layer: apps

openoffice_allow_email (Default: false)

Determine whether openoffice writer can send emails directly (print to email). This is different from the functionality of sending emails through external clients which is always enabled.

Module: openoffice

Layer: apps

openoffice_allow_update (Default: true)

Determine whether openoffice can download software updates from the network (application and/or extensions).

Module: openoffice

Layer: apps

openoffice_manage_all_user_content (Default: false)

Grant the openoffice domains manage rights on all user content

Module: openoffice

Layer: apps

openoffice_manage_generic_user_content (Default: false)

Grant the openoffice domains manage rights on generic user content

Module: openoffice

Layer: apps

openoffice_read_all_user_content (Default: false)

Grant the openoffice domains read access to all user content

Module: openoffice

Layer: apps

openoffice_read_generic_user_content (Default: true)

Grant the openoffice domains read access to generic user content

Module: openvpn

Layer: services

openvpn_can_network_connect (Default: false)

Determine whether openvpn can connect to the TCP network.

Module: openvpn

Layer: services

openvpn_enable_homedirs (Default: false)

Determine whether openvpn can read generic user home content files.

Module: pacemaker

Layer: services

pacemaker_startstop_all_services (Default: false)

Allow pacemaker to start/stop services

Module: portage

Layer: admin

portage_use_nfs (Default: false)

Determine whether portage can use nfs filesystems.

Module: postfix

Layer: services

postfix_local_write_mail_spool (Default: true)

Determine whether postfix local can manage mail spool content.

Module: postfix

Layer: services

postfix_manage_all_user_content (Default: false)

Grant the postfix domains manage rights on all user content

Module: postfix

Layer: services

postfix_manage_generic_user_content (Default: false)

Grant the postfix domains manage rights on generic user content

Module: postfix

Layer: services

postfix_read_all_user_content (Default: false)

Grant the postfix domains read access to all user content

Module: postfix

Layer: services

postfix_read_generic_user_content (Default: true)

Grant the postfix domains read access to generic user content

Module: ppp

Layer: services

pppd_can_insmod (Default: false)

Determine whether pppd can load kernel modules.

Module: ppp

Layer: services

pppd_for_user (Default: false)

Determine whether common users can run pppd with a domain transition.

Module: privoxy

Layer: services

privoxy_connect_any (Default: false)

Determine whether privoxy can connect to all tcp ports.

Module: pulseaudio

Layer: apps

pulseaudio_execmem (Default: false)

Allow pulseaudio to execute code in writable memory

Module: puppet

Layer: admin

puppet_manage_all_files (Default: false)

Determine whether puppet can manage all non-security files.

Module: qemu

Layer: apps

qemu_full_network (Default: false)

Determine whether qemu has full access to the network.

Module: ipsec

Layer: system

racoon_read_shadow (Default: false)

Allow racoon to read shadow

Module: rkhunter

Layer: admin

rkhunter_connect_http (Default: false)

Determine whether rkhunter can connect to http ports. This is required by the --update option.

Module: spamassassin

Layer: services

rspamd_spamd (Default: false)

Determine whether extra rules should be enabled to support rspamd.

Module: rsync

Layer: services

rsync_client (Default: false)

Determine whether rsync can run as a client

Module: rsync

Layer: services

rsync_export_all_ro (Default: false)

Determine whether rsync can export all content read only.

Module: rsync

Layer: services

rsync_use_cifs (Default: false)

Determine whether rsync can use cifs file systems.

Module: rsync

Layer: services

rsync_use_fusefs (Default: false)

Determine whether rsync can use fuse file systems.

Module: rsync

Layer: services

rsync_use_nfs (Default: false)

Determine whether rsync can use nfs file systems.

Module: samba

Layer: services

samba_create_home_dirs (Default: false)

Determine whether samba can create home directories via pam.

Module: samba

Layer: services

samba_domain_controller (Default: false)

Determine whether samba can act as the domain controller, add users, groups and change passwords.

Module: samba

Layer: services

samba_enable_home_dirs (Default: false)

Determine whether samba can share users home directories.

Module: samba

Layer: services

samba_export_all_ro (Default: false)

Determine whether samba can share any content read only.

Module: samba

Layer: services

samba_export_all_rw (Default: false)

Determine whether samba can share any content readable and writable.

Module: samba

Layer: services

samba_portmapper (Default: false)

Determine whether samba can act as a portmapper.

Module: samba

Layer: services

samba_read_shadow (Default: false)

Determine whether smbd_t can read shadow files.

Module: samba

Layer: services

samba_run_unconfined (Default: false)

Determine whether samba can run unconfined scripts.

Module: samba

Layer: services

samba_share_fusefs (Default: false)

Determine whether samba can use fuse file systems.

Module: samba

Layer: services

samba_share_nfs (Default: false)

Determine whether samba can use nfs file systems.

Module: sanlock

Layer: services

sanlock_use_nfs (Default: false)

Determine whether sanlock can use nfs file systems.

Module: sanlock

Layer: services

sanlock_use_samba (Default: false)

Determine whether sanlock can use cifs file systems.

Module: postgresql

Layer: services

sepgsql_enable_users_ddl (Default: false)

Allow unprived users to execute DDL statement

Module: postgresql

Layer: services

sepgsql_transmit_client_label (Default: false)

Allow transmit client label to foreign database

Module: postgresql

Layer: services

sepgsql_unconfined_dbadm (Default: false)

Allow database admins to execute DML statement

Module: ftp

Layer: services

sftpd_anon_write (Default: false)

Determine whether sftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: ftp

Layer: services

sftpd_enable_homedirs (Default: false)

Determine whether sftpd-can read and write files in user home directories.

Module: ftp

Layer: services

sftpd_full_access (Default: false)

Determine whether sftpd-can login to local users and read and write all files on the system, governed by DAC.

Module: ftp

Layer: services

sftpd_write_ssh_home (Default: false)

Determine whether sftpd can read and write files in user ssh home directories.

Module: shutdown

Layer: admin

shutdown_allow_user_exec_domains (Default: false)

Determine whether the user application exec domain attribute should be respected for shutdown access. If not enabled, only user domains themselves may use shutdown.

Module: smartmon

Layer: services

smartmon_3ware (Default: false)

Determine whether smartmon can support devices on 3ware controllers.

Module: spamassassin

Layer: services

spamassassin_can_network (Default: false)

Determine whether spamassassin clients can use the network.

Module: spamassassin

Layer: services

spamd_enable_home_dirs (Default: false)

Determine whether spamd can manage generic user home content.

Module: squid

Layer: services

squid_connect_any (Default: false)

Determine whether squid can connect to all TCP ports.

Module: squid

Layer: services

squid_use_pinger (Default: true)

Determine whether squid can use the pinger daemon (needs raw net access)

Module: squid

Layer: services

squid_use_tproxy (Default: false)

Determine whether squid can run as a transparent proxy.

Module: ssh

Layer: services

ssh_sysadm_login (Default: true)

Allow ssh logins as sysadm_r:sysadm_t

Module: ssh

Layer: services

ssh_use_gpg_agent (Default: false)

Allow ssh to use gpg-agent

Module: su

Layer: admin

su_allow_user_exec_domains (Default: false)

Determine whether the user application exec domain attribute should be respected for su access. If not enabled, only user domains themselves may use su.

Module: sudo

Layer: admin

sudo_all_tcp_connect_http_port (Default: false)

Determine whether all sudo domains can connect to TCP HTTP ports. This is needed if an additional authentication mechanism via an HTTP server is required for users to use sudo.

Module: sudo

Layer: admin

sudo_allow_user_exec_domains (Default: false)

Determine whether the user application exec domain attribute should be respected for sudo access. If not enabled, only user domains themselves may use sudo.

Module: syncthing

Layer: apps

syncthing_manage_all_user_content (Default: false)

Grant the syncthing domains manage rights on all user content

Module: syncthing

Layer: apps

syncthing_manage_generic_user_content (Default: false)

Grant the syncthing domains manage rights on generic user content

Module: syncthing

Layer: apps

syncthing_read_all_user_content (Default: false)

Grant the syncthing domains read access to all user content

Module: syncthing

Layer: apps

syncthing_read_generic_user_content (Default: true)

Grant the syncthing domains read access to generic user content

Module: systemd

Layer: system

systemd_logind_get_bootloader (Default: false)

Allow systemd-logind to interact with the bootloader (read which one is installed on fixed disks, enumerate entries for dbus property BootLoaderEntries, etc.)

Module: systemd

Layer: system

systemd_networkd_dhcp_server (Default: false)

Allow systemd-networkd to run its DHCPd server component

Module: systemd

Layer: system

systemd_nspawn_labeled_namespace (Default: false)

Allow systemd-nspawn to create a labelled namespace with the same types as parent environment

Module: systemd

Layer: system

systemd_socket_proxyd_bind_any (Default: false)

Allow systemd-socket-proxyd to bind any port instead of one labelled with systemd_socket_proxyd_port_t.

Module: systemd

Layer: system

systemd_socket_proxyd_connect_any (Default: false)

Allow systemd-socket-proxyd to connect to any port instead of labelled ones.

Module: systemd

Layer: system

systemd_tmpfiles_manage_all (Default: false)

Enable support for systemd-tmpfiles to manage all non-security files.

Module: telepathy

Layer: apps

telepathy_connect_all_ports (Default: false)

Determine whether telepathy connection managers can connect to any port.

Module: telepathy

Layer: apps

telepathy_tcp_connect_generic_network_ports (Default: false)

Determine whether telepathy connection managers can connect to generic tcp ports.

Module: tftp

Layer: services

tftp_anon_write (Default: false)

Determine whether tftp can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: tftp

Layer: services

tftp_enable_homedir (Default: false)

Determine whether tftp can manage generic user home content.

Module: thunderbird

Layer: apps

thunderbird_manage_all_user_content (Default: false)

Grant the thunderbird domains manage rights on all user content

Module: thunderbird

Layer: apps

thunderbird_manage_generic_user_content (Default: false)

Grant the thunderbird domains manage rights on generic user content

Module: thunderbird

Layer: apps

thunderbird_read_all_user_content (Default: false)

Grant the thunderbird domains read access to all user content

Module: thunderbird

Layer: apps

thunderbird_read_generic_user_content (Default: true)

Grant the thunderbird domains read access to generic user content

Module: tor

Layer: services

tor_bind_all_unreserved_ports (Default: false)

Determine whether tor can bind tcp sockets to all unreserved ports.

Module: usbguard

Layer: admin

usbguard_user_modify_rule_files (Default: false)

Determine whether authorized users can control the daemon, which requires usbguard-daemon to be able modify its rules in /etc/usbguard.

Module: lpd

Layer: services

use_lpd_server (Default: false)

Determine whether to support lpd server.

Global
use_nfs_home_dirs (Default: false)

Support NFS home directories

Global
use_samba_home_dirs (Default: false)

Support SAMBA home directories

Module: userdomain

Layer: system

user_direct_mouse (Default: false)

Allow regular users direct mouse access

Module: userdomain

Layer: system

user_dmesg (Default: false)

Allow users to read system messages.

Module: userdomain

Layer: system

user_exec_noexattrfile (Default: false)

Allow user to execute files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

Module: netutils

Layer: admin

user_ping (Default: false)

Control users use of ping and traceroute

Module: userdomain

Layer: system

user_rw_noexattrfile (Default: false)

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

Global
user_tcp_server (Default: false)

Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.

Module: userdomain

Layer: system

user_ttyfile_stat (Default: false)

Allow w to display everyone

Global
user_udp_server (Default: false)

Allow users to run UDP servers (bind to ports and accept connection from the same domain and outside users)

Module: userdomain

Layer: system

user_write_removable (Default: false)

Allow user to write files on removable devices (e.g. external USB memory devices or floppies)

Module: varnishd

Layer: services

varnishd_connect_any (Default: false)

Determine whether varnishd can use the full TCP network.

Module: vbetool

Layer: admin

vbetool_mmap_zero_ignore (Default: false)

Determine whether attempts by vbetool to mmap low regions should be silently blocked.

Module: virt

Layer: services

virt_use_comm (Default: false)

Determine whether confined virtual guests can use serial/parallel communication ports.

Module: virt

Layer: services

virt_use_evdev (Default: false)

Determine whether confined virtual guests can use input devices via evdev pass through.

Module: virt

Layer: services

virt_use_execmem (Default: false)

Determine whether confined virtual guests can use executable memory and can make their stack executable.

Module: virt

Layer: services

virt_use_fusefs (Default: false)

Determine whether confined virtual guests can use fuse file systems.

Module: virt

Layer: services

virt_use_nfs (Default: false)

Determine whether confined virtual guests can use nfs file systems.

Module: virt

Layer: services

virt_use_samba (Default: false)

Determine whether confined virtual guests can use cifs file systems.

Module: virt

Layer: services

virt_use_sysfs (Default: false)

Determine whether confined virtual guests can manage device configuration.

Module: virt

Layer: services

virt_use_usb (Default: false)

Determine whether confined virtual guests can use usb devices.

Module: virt

Layer: services

virt_use_vfio (Default: false)

Determine whether confined virtual guests can use vfio for pci device pass through (vt-d).

Module: virt

Layer: services

virt_use_xserver (Default: false)

Determine whether confined virtual guests can interact with xserver.

Module: webadm

Layer: roles

webadm_manage_user_files (Default: false)

Determine whether webadm can manage generic user files.

Module: webadm

Layer: roles

webadm_read_user_files (Default: false)

Determine whether webadm can read generic user files.

Module: wine

Layer: apps

wine_mmap_zero_ignore (Default: false)

Determine whether attempts by wine to mmap low regions should be silently blocked.

Module: wireshark

Layer: apps

wireshark_manage_all_user_content (Default: false)

Grant the wireshark domains manage rights on all user content

Module: wireshark

Layer: apps

wireshark_manage_generic_user_content (Default: false)

Grant the wireshark domains manage rights on generic user content

Module: wireshark

Layer: apps

wireshark_read_all_user_content (Default: false)

Grant the wireshark domains read access to all user content

Module: wireshark

Layer: apps

wireshark_read_generic_user_content (Default: true)

Grant the wireshark domains read access to generic user content

Module: wm

Layer: apps

wm_write_xdg_data (Default: false)

Grant the window manager domains write access to xdg data

Module: xserver

Layer: services

xdm_sysadm_login (Default: false)

Allow xdm logins as sysadm

Module: xen

Layer: system

xen_use_fusefs (Default: false)

Determine whether xen can use fusefs file systems.

Module: xen

Layer: system

xen_use_nfs (Default: false)

Determine whether xen can use nfs file systems.

Module: xen

Layer: system

xen_use_samba (Default: false)

Determine whether xen can use samba file systems.

Module: xen

Layer: system

xend_run_blktap (Default: false)

Determine whether xend can run blktapctrl and tapdisk.

Module: xguest

Layer: roles

xguest_connect_network (Default: false)

Determine whether xguest can configure network manager.

Module: xguest

Layer: roles

xguest_mount_media (Default: false)

Determine whether xguest can mount removable media.

Module: xguest

Layer: roles

xguest_use_bluetooth (Default: false)

Determine whether xguest can use blue tooth devices.

Module: xscreensaver

Layer: apps

xscreensaver_read_generic_user_content (Default: true)

Grant the xscreensaver domains read access to generic user content

Module: xserver

Layer: services

xserver_allow_dri (Default: false)

Allow DRI access

Module: xserver

Layer: services

xserver_gnome_xdm (Default: false)

Use gnome-shell in gdm mode as the X Display Manager (XDM)

Module: xserver

Layer: services

xserver_object_manager (Default: false)

Support X userspace object manager

Module: zabbix

Layer: services

zabbix_can_network (Default: false)

Determine whether zabbix can connect to all TCP ports