false
Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
false
Allow making a modified private filemapping executable (text relocation).
false
Allow making the stack executable via mprotect.Also requires allow_execmem.
false
Allow ftp servers to modify public filesused for public file transfer services.
false
Allow gpg executable stack
true
Allow gssd to read temp directory.
false
Allow Apache to modify public filesused for public file transfer services.
false
Allow system to run with kerberos
false
Allow sysadm to ptrace all processes
false
Allow rsync to modify public filesused for public file transfer services.
false
Allow sasl to read shadow
false
Allow samba to modify public filesused for public file transfer services.
false
allow host key based authentication
false
Allow users to connect to mysql
false
Allow system to run with NIS
false
Allow system cron jobs to relabel filesystemfor restoring file contexts.
false
Enable extra rules in the cron domainto support fcron.
false
Allow ftp to read and write files in the user home directories
false
Allow ftpd to run directly without inetd
false
Allow httpd to use built in scripting (usually php)
false
Allow http daemon to tcp connect
false
Allow httpd cgi support
false
Allow httpd to act as a FTP server bylistening on the ftp port.
false
Allow httpd to read home directories
false
Run SSI execs in system CGI script domain.
false
Allow http daemon to communicate with the TTY
false
Run CGI in the main httpd domain
false
Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
false
Allow nfs to be exported read only
false
Allow nfs to be exported read/write.
false
Allow pppd to load kernel modules for certain modems
false
Allow pppd to be run for a regular user
false
Allow reading of default_t files.
false
Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
false
Allow ssh to run from inetd instead of as a daemon.
false
Allow samba to export user home directories.
false
Allow spamassassin to do DNS lookups
false
Allow user spamassassin clients to use the network.
false
Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
false
Allow ssh logins as sysadm_r:sysadm_t
false
Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
false
Configure stunnel to be a standalone daemon orinetd service.
false
Support NFS home directories
false
Support SAMBA home directories
false
Allow regular users direct mouse access
false
Allow users to read system messages.
false
Allow users to control network interfaces(also needs USERCTL=true)
false
Control users use of ping and traceroute
false
Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
false
Allow users to rw usb devices
false
Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
false
Allow w to display everyone
false
Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.