# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # selinuxuser_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # selinuxuser_execstack = false # Allow ftpd to read cifs directories. # ftpd_use_cifs = false # Allow ftpd to read nfs directories. # ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # httpd_mod_auth_pam = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow system to run with NIS # allow_ypbind = false # Allow zebra to write it own configuration files # zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # # allow httpd to connect to mysql/posgresql httpd_can_network_connect_db = false # # allow httpd to send dbus messages to avahi httpd_dbus_avahi = true # # allow httpd to network relay httpd_can_network_relay = false # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = true # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = true # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = false # Run CGI in the main httpd domain # httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = false # Allow nfs to be exported read/write. # nfs_export_all_rw = true # Allow nfs to be exported read only # nfs_export_all_ro = true # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow reading of default_t files. # read_default_t = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Support NFS home directories # use_nfs_home_dirs = true # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = false # allow host key based authentication # ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = true # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false # Allow all domains to talk to ttys # daemons_use_tty = false # Allow login domains to polyinstatiate directories # polyinstantiation_enabled = false # Allow all domains to dump core # daemons_dump_core = true # Allow samba to act as the domain controller # samba_domain_controller = false # Allow samba to export user home directories. # samba_run_unconfined = false # Allows XServer to execute writable memory # xserver_execmem = false # disallow guest accounts to execute files that they can create # guest_exec_content = false xguest_exec_content = false # Allow postfix locat to write to mail spool # postfix_local_write_mail_spool = false # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile = true # Allow qemu to connect fully to the network # qemu_full_network = true # System uses init upstart program # init_upstart = true # Allow mount to mount any file/dir # mount_anyfile = true # Allow all domains to mmap files # domain_can_mmap_files = true # Allow confined applications to use nscd shared memory # nscd_use_shm = true # allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox # unconfined_chrome_sandbox_transition = false # Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. # unconfined_mozilla_plugin_transition = false