<html> <head> <title> Security Enhanced Linux Reference Policy </title> <style type="text/css" media="all">@import "style.css";</style> </head> <body> <div id="Header">Security Enhanced Linux Reference Policy</div> <div id='Menu'> <a href="admin.html">+ admin</a></br/> <div id='subitem'> - <a href='admin_acct.html'> acct</a><br/> - <a href='admin_alsa.html'> alsa</a><br/> - <a href='admin_amanda.html'> amanda</a><br/> - <a href='admin_anaconda.html'> anaconda</a><br/> - <a href='admin_consoletype.html'> consoletype</a><br/> - <a href='admin_ddcprobe.html'> ddcprobe</a><br/> - <a href='admin_dmesg.html'> dmesg</a><br/> - <a href='admin_dmidecode.html'> dmidecode</a><br/> - <a href='admin_firstboot.html'> firstboot</a><br/> - <a href='admin_kudzu.html'> kudzu</a><br/> - <a href='admin_logrotate.html'> logrotate</a><br/> - <a href='admin_logwatch.html'> logwatch</a><br/> - <a href='admin_netutils.html'> netutils</a><br/> - <a href='admin_prelink.html'> prelink</a><br/> - <a href='admin_quota.html'> quota</a><br/> - <a href='admin_readahead.html'> readahead</a><br/> - <a href='admin_rpm.html'> rpm</a><br/> - <a href='admin_su.html'> su</a><br/> - <a href='admin_sudo.html'> sudo</a><br/> - <a href='admin_tmpreaper.html'> tmpreaper</a><br/> - <a href='admin_updfstab.html'> updfstab</a><br/> - <a href='admin_usbmodules.html'> usbmodules</a><br/> - <a href='admin_usermanage.html'> usermanage</a><br/> - <a href='admin_vbetool.html'> vbetool</a><br/> - <a href='admin_vpn.html'> vpn</a><br/> </div> <a href="apps.html">+ apps</a></br/> <div id='subitem'> - <a href='apps_cdrecord.html'> cdrecord</a><br/> - <a href='apps_gpg.html'> gpg</a><br/> - <a href='apps_irc.html'> irc</a><br/> - <a href='apps_java.html'> java</a><br/> - <a href='apps_loadkeys.html'> loadkeys</a><br/> - <a href='apps_lockdev.html'> lockdev</a><br/> - <a href='apps_screen.html'> screen</a><br/> - <a href='apps_slocate.html'> slocate</a><br/> - <a href='apps_webalizer.html'> webalizer</a><br/> </div> <a href="kernel.html">+ kernel</a></br/> <div id='subitem'> - <a href='kernel_bootloader.html'> bootloader</a><br/> - <a href='kernel_corecommands.html'> corecommands</a><br/> - <a href='kernel_corenetwork.html'> corenetwork</a><br/> - <a href='kernel_devices.html'> devices</a><br/> - <a href='kernel_domain.html'> domain</a><br/> - <a href='kernel_files.html'> files</a><br/> - <a href='kernel_filesystem.html'> filesystem</a><br/> - <a href='kernel_kernel.html'> kernel</a><br/> - <a href='kernel_mls.html'> mls</a><br/> - <a href='kernel_selinux.html'> selinux</a><br/> - <a href='kernel_storage.html'> storage</a><br/> - <a href='kernel_terminal.html'> terminal</a><br/> </div> <a href="services.html">+ services</a></br/> <div id='subitem'> - <a href='services_apache.html'> apache</a><br/> - <a href='services_apm.html'> apm</a><br/> - <a href='services_arpwatch.html'> arpwatch</a><br/> - <a href='services_automount.html'> automount</a><br/> - <a href='services_avahi.html'> avahi</a><br/> - <a href='services_bind.html'> bind</a><br/> - <a href='services_bluetooth.html'> bluetooth</a><br/> - <a href='services_canna.html'> canna</a><br/> - <a href='services_comsat.html'> comsat</a><br/> - <a href='services_cpucontrol.html'> cpucontrol</a><br/> - <a href='services_cron.html'> cron</a><br/> - <a href='services_cups.html'> cups</a><br/> - <a href='services_cvs.html'> cvs</a><br/> - <a href='services_cyrus.html'> cyrus</a><br/> - <a href='services_dbskk.html'> dbskk</a><br/> - <a href='services_dbus.html'> dbus</a><br/> - <a href='services_dhcp.html'> dhcp</a><br/> - <a href='services_dictd.html'> dictd</a><br/> - <a href='services_distcc.html'> distcc</a><br/> - <a href='services_djbdns.html'> djbdns</a><br/> - <a href='services_dovecot.html'> dovecot</a><br/> - <a href='services_fetchmail.html'> fetchmail</a><br/> - <a href='services_finger.html'> finger</a><br/> - <a href='services_ftp.html'> ftp</a><br/> - <a href='services_gpm.html'> gpm</a><br/> - <a href='services_hal.html'> hal</a><br/> - <a href='services_howl.html'> howl</a><br/> - <a href='services_i18n_input.html'> i18n_input</a><br/> - <a href='services_inetd.html'> inetd</a><br/> - <a href='services_inn.html'> inn</a><br/> - <a href='services_irqbalance.html'> irqbalance</a><br/> - <a href='services_kerberos.html'> kerberos</a><br/> - <a href='services_ktalk.html'> ktalk</a><br/> - <a href='services_ldap.html'> ldap</a><br/> - <a href='services_lpd.html'> lpd</a><br/> - <a href='services_mailman.html'> mailman</a><br/> - <a href='services_mta.html'> mta</a><br/> - <a href='services_mysql.html'> mysql</a><br/> - <a href='services_networkmanager.html'> networkmanager</a><br/> - <a href='services_nis.html'> nis</a><br/> - <a href='services_nscd.html'> nscd</a><br/> - <a href='services_ntp.html'> ntp</a><br/> - <a href='services_openct.html'> openct</a><br/> - <a href='services_pegasus.html'> pegasus</a><br/> - <a href='services_portmap.html'> portmap</a><br/> - <a href='services_postfix.html'> postfix</a><br/> - <a href='services_postgresql.html'> postgresql</a><br/> - <a href='services_ppp.html'> ppp</a><br/> - <a href='services_privoxy.html'> privoxy</a><br/> - <a href='services_procmail.html'> procmail</a><br/> - <a href='services_publicfile.html'> publicfile</a><br/> - <a href='services_radius.html'> radius</a><br/> - <a href='services_radvd.html'> radvd</a><br/> - <a href='services_rdisc.html'> rdisc</a><br/> - <a href='services_remotelogin.html'> remotelogin</a><br/> - <a href='services_rlogin.html'> rlogin</a><br/> - <a href='services_roundup.html'> roundup</a><br/> - <a href='services_rpc.html'> rpc</a><br/> - <a href='services_rshd.html'> rshd</a><br/> - <a href='services_rsync.html'> rsync</a><br/> - <a href='services_samba.html'> samba</a><br/> - <a href='services_sasl.html'> sasl</a><br/> - <a href='services_sendmail.html'> sendmail</a><br/> - <a href='services_slrnpull.html'> slrnpull</a><br/> - <a href='services_smartmon.html'> smartmon</a><br/> - <a href='services_snmp.html'> snmp</a><br/> - <a href='services_spamassassin.html'> spamassassin</a><br/> - <a href='services_squid.html'> squid</a><br/> - <a href='services_ssh.html'> ssh</a><br/> - <a href='services_stunnel.html'> stunnel</a><br/> - <a href='services_sysstat.html'> sysstat</a><br/> - <a href='services_tcpd.html'> tcpd</a><br/> - <a href='services_telnet.html'> telnet</a><br/> - <a href='services_tftp.html'> tftp</a><br/> - <a href='services_timidity.html'> timidity</a><br/> - <a href='services_ucspitcp.html'> ucspitcp</a><br/> - <a href='services_uucp.html'> uucp</a><br/> - <a href='services_xdm.html'> xdm</a><br/> - <a href='services_xfs.html'> xfs</a><br/> - <a href='services_zebra.html'> zebra</a><br/> </div> <a href="system.html">+ system</a></br/> <div id='subitem'> - <a href='system_authlogin.html'> authlogin</a><br/> - <a href='system_clock.html'> clock</a><br/> - <a href='system_daemontools.html'> daemontools</a><br/> - <a href='system_fstools.html'> fstools</a><br/> - <a href='system_getty.html'> getty</a><br/> - <a href='system_hostname.html'> hostname</a><br/> - <a href='system_hotplug.html'> hotplug</a><br/> - <a href='system_init.html'> init</a><br/> - <a href='system_ipsec.html'> ipsec</a><br/> - <a href='system_iptables.html'> iptables</a><br/> - <a href='system_libraries.html'> libraries</a><br/> - <a href='system_locallogin.html'> locallogin</a><br/> - <a href='system_logging.html'> logging</a><br/> - <a href='system_lvm.html'> lvm</a><br/> - <a href='system_miscfiles.html'> miscfiles</a><br/> - <a href='system_modutils.html'> modutils</a><br/> - <a href='system_mount.html'> mount</a><br/> - <a href='system_pcmcia.html'> pcmcia</a><br/> - <a href='system_raid.html'> raid</a><br/> - <a href='system_selinuxutil.html'> selinuxutil</a><br/> - <a href='system_sysnetwork.html'> sysnetwork</a><br/> - <a href='system_udev.html'> udev</a><br/> - <a href='system_unconfined.html'> unconfined</a><br/> - <a href='system_userdomain.html'> userdomain</a><br/> </div> <br/><p/> <a href="global_booleans.html">* Global Booleans </a> <br/><p/> <a href="global_tunables.html">* Global Tunables </a> <p/><br/><p/> <a href="index.html">* Layer Index</a> <br/><p/> <a href="interfaces.html">* Interface Index</a> <br/><p/> <a href="templates.html">* Template Index</a> </div> <div id="Content"> <h3>Global tunables:</h3> <div id="interface"> <div id="codeblock">allow_cvs_read_shadow</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow cvs daemon to read shadow</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_execmem</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_execmod</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow making a modified private filemapping executable (text relocation).</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_execstack</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow making the stack executable via mprotect.Also requires allow_execmem.</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_ftpd_anon_write</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow ftp servers to modify public filesused for public file transfer services.</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_gpg_execstack</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow gpg executable stack</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_gssd_read_tmp</div> <div id="description"> <h5>Default value</h5> <p>true</p> <h5>Description</h5> <p><p> Allow gssd to read temp directory.</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_httpd_anon_write</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow Apache to modify public filesused for public file transfer services.</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_java_execstack</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow java executable stack</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_kerberos</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow system to run with kerberos</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_ptrace</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow sysadm to ptrace all processes</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_rsync_anon_write</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow rsync to modify public filesused for public file transfer services.</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_saslauthd_read_shadow</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow sasl to read shadow</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_smbd_anon_write</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow samba to modify public filesused for public file transfer services.</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_ssh_keysign</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> allow host key based authentication</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_user_mysql_connect</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow users to connect to mysql</p></p> </div></div> <div id="interface"> <div id="codeblock">allow_ypbind</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow system to run with NIS</p></p> </div></div> <div id="interface"> <div id="codeblock">cdrecord_read_content</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow cdrecord to read various content.nfs, samba, removable devices, user tempand untrusted content files</p></p> </div></div> <div id="interface"> <div id="codeblock">cron_can_relabel</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow system cron jobs to relabel filesystemfor restoring file contexts.</p></p> </div></div> <div id="interface"> <div id="codeblock">fcron_crond</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Enable extra rules in the cron domainto support fcron.</p></p> </div></div> <div id="interface"> <div id="codeblock">ftp_home_dir</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow ftp to read and write files in the user home directories</p></p> </div></div> <div id="interface"> <div id="codeblock">ftpd_is_daemon</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow ftpd to run directly without inetd</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_builtin_scripting</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow httpd to use built in scripting (usually php)</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_can_network_connect</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow http daemon to tcp connect</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_can_network_connect_db</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> allow httpd to connect to mysql/posgresql</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_can_network_relay</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> allow httpd to act as a relay</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_enable_cgi</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow httpd cgi support</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_enable_ftp_server</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow httpd to act as a FTP server bylistening on the ftp port.</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_enable_homedirs</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow httpd to read home directories</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_ssi_exec</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Run SSI execs in system CGI script domain.</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_tty_comm</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow http daemon to communicate with the TTY</p></p> </div></div> <div id="interface"> <div id="codeblock">httpd_unified</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Run CGI in the main httpd domain</p></p> </div></div> <div id="interface"> <div id="codeblock">named_write_master_zones</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow BIND to write the master zone files.Generally this is used for dynamic DNS.</p></p> </div></div> <div id="interface"> <div id="codeblock">nfs_export_all_ro</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow nfs to be exported read only</p></p> </div></div> <div id="interface"> <div id="codeblock">nfs_export_all_rw</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow nfs to be exported read/write.</p></p> </div></div> <div id="interface"> <div id="codeblock">pppd_can_insmod</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow pppd to load kernel modules for certain modems</p></p> </div></div> <div id="interface"> <div id="codeblock">pppd_for_user</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow pppd to be run for a regular user</p></p> </div></div> <div id="interface"> <div id="codeblock">read_default_t</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow reading of default_t files.</p></p> </div></div> <div id="interface"> <div id="codeblock">read_untrusted_content</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted</p></p> </div></div> <div id="interface"> <div id="codeblock">run_ssh_inetd</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow ssh to run from inetd instead of as a daemon.</p></p> </div></div> <div id="interface"> <div id="codeblock">samba_enable_home_dirs</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow samba to export user home directories.</p></p> </div></div> <div id="interface"> <div id="codeblock">spamassasin_can_network</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow spamassassin to do DNS lookups</p></p> </div></div> <div id="interface"> <div id="codeblock">spamassassin_can_network</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow user spamassassin clients to use the network.</p></p> </div></div> <div id="interface"> <div id="codeblock">squid_connect_any</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.</p></p> </div></div> <div id="interface"> <div id="codeblock">ssh_sysadm_login</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow ssh logins as sysadm_r:sysadm_t</p></p> </div></div> <div id="interface"> <div id="codeblock">staff_read_sysadm_file</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)</p></p> </div></div> <div id="interface"> <div id="codeblock">stunnel_is_daemon</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Configure stunnel to be a standalone daemon orinetd service.</p></p> </div></div> <div id="interface"> <div id="codeblock">use_nfs_home_dirs</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Support NFS home directories</p></p> </div></div> <div id="interface"> <div id="codeblock">use_samba_home_dirs</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Support SAMBA home directories</p></p> </div></div> <div id="interface"> <div id="codeblock">user_direct_mouse</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow regular users direct mouse access</p></p> </div></div> <div id="interface"> <div id="codeblock">user_dmesg</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow users to read system messages.</p></p> </div></div> <div id="interface"> <div id="codeblock">user_net_control</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow users to control network interfaces(also needs USERCTL=true)</p></p> </div></div> <div id="interface"> <div id="codeblock">user_ping</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Control users use of ping and traceroute</p></p> </div></div> <div id="interface"> <div id="codeblock">user_rw_noexattrfile</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)</p></p> </div></div> <div id="interface"> <div id="codeblock">user_rw_usb</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow users to rw usb devices</p></p> </div></div> <div id="interface"> <div id="codeblock">user_tcp_server</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.</p></p> </div></div> <div id="interface"> <div id="codeblock">user_ttyfile_stat</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow w to display everyone</p></p> </div></div> <div id="interface"> <div id="codeblock">write_untrusted_content</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p><p> Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.</p></p> </div></div> </div> </body> </html>