Security Enhanced Linux Reference Policy

Global tunables:

allow_cvs_read_shadow

Default value

false

Description

Allow cvs daemon to read shadow

allow_execheap

Default value

false

Description

Allow making the heap executable.

allow_execmem

Default value

false

Description

Allow making anonymous memory executable, e.g. for runtime-code generation or executable stack.

allow_execmod

Default value

false

Description

Allow making a modified private file mapping executable (text relocation).

allow_execstack

Default value

false

Description

Allow making the stack executable via mprotect. Also requires allow_execmem.

allow_ftpd_anon_write

Default value

false

Description

Allow ftp servers to modify public files used for public file transfer services.

allow_gpg_execstack

Default value

false

Description

Allow gpg executable stack

allow_gssd_read_tmp

Default value

true

Description

Allow gssd to read temp directory.

allow_httpd_anon_write

Default value

false

Description

Allow Apache to modify public files used for public file transfer services.

allow_java_execstack

Default value

false

Description

Allow java executable stack

allow_kerberos

Default value

false

Description

Allow system to run with kerberos

allow_ptrace

Default value

false

Description

Allow sysadm to ptrace all processes

allow_rsync_anon_write

Default value

false

Description

Allow rsync to modify public files used for public file transfer services.

allow_saslauthd_read_shadow

Default value

false

Description

Allow sasl to read shadow

allow_smbd_anon_write

Default value

false

Description

Allow samba to modify public files used for public file transfer services.

allow_ssh_keysign

Default value

false

Description

allow host key based authentication

allow_user_mysql_connect

Default value

false

Description

Allow users to connect to mysql

allow_write_xshm

Default value

false

Description

Allows clients to write to the X server shared memory segments.

allow_ypbind

Default value

false

Description

Allow system to run with NIS

cdrecord_read_content

Default value

false

Description

Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files

cron_can_relabel

Default value

false

Description

Allow system cron jobs to relabel filesystem for restoring file contexts.

fcron_crond

Default value

false

Description

Enable extra rules in the cron domain to support fcron.

ftp_home_dir

Default value

false

Description

Allow ftp to read and write files in the user home directories

ftpd_is_daemon

Default value

false

Description

Allow ftpd to run directly without inetd

httpd_builtin_scripting

Default value

false

Description

Allow httpd to use built in scripting (usually php)

httpd_can_network_connect

Default value

false

Description

Allow http daemon to tcp connect

httpd_can_network_connect_db

Default value

false

Description

Allow httpd to connect to mysql/posgresql

httpd_can_network_relay

Default value

false

Description

Allow httpd to act as a relay

httpd_enable_cgi

Default value

false

Description

Allow httpd cgi support

httpd_enable_ftp_server

Default value

false

Description

Allow httpd to act as a FTP server by listening on the ftp port.

httpd_enable_homedirs

Default value

false

Description

Allow httpd to read home directories

httpd_ssi_exec

Default value

false

Description

Run SSI execs in system CGI script domain.

httpd_tty_comm

Default value

false

Description

Allow http daemon to communicate with the TTY

httpd_unified

Default value

false

Description

Run CGI in the main httpd domain

named_write_master_zones

Default value

false

Description

Allow BIND to write the master zone files. Generally this is used for dynamic DNS.

nfs_export_all_ro

Default value

false

Description

Allow nfs to be exported read only

nfs_export_all_rw

Default value

false

Description

Allow nfs to be exported read/write.

pppd_can_insmod

Default value

false

Description

Allow pppd to load kernel modules for certain modems

pppd_for_user

Default value

false

Description

Allow pppd to be run for a regular user

read_default_t

Default value

false

Description

Allow reading of default_t files.

read_untrusted_content

Default value

false

Description

Allow applications to read untrusted content If this is disallowed, Internet content has to be manually relabeled for read access to be granted

run_ssh_inetd

Default value

false

Description

Allow ssh to run from inetd instead of as a daemon.

samba_enable_home_dirs

Default value

false

Description

Allow samba to export user home directories.

spamassasin_can_network

Default value

false

Description

Allow spamassassin to do DNS lookups

spamassassin_can_network

Default value

false

Description

Allow user spamassassin clients to use the network.

spamd_enable_home_dirs

Default value

true

Description

Allow spammd to read/write user home directories.

squid_connect_any

Default value

false

Description

Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports.

ssh_sysadm_login

Default value

false

Description

Allow ssh logins as sysadm_r:sysadm_t

staff_read_sysadm_file

Default value

false

Description

Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)

stunnel_is_daemon

Default value

false

Description

Configure stunnel to be a standalone daemon or inetd service.

use_nfs_home_dirs

Default value

false

Description

Support NFS home directories

use_samba_home_dirs

Default value

false

Description

Support SAMBA home directories

user_direct_mouse

Default value

false

Description

Allow regular users direct mouse access

user_dmesg

Default value

false

Description

Allow users to read system messages.

user_net_control

Default value

false

Description

Allow users to control network interfaces (also needs USERCTL=true)

user_ping

Default value

false

Description

Control users use of ping and traceroute

user_rw_noexattrfile

Default value

false

Description

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

user_rw_usb

Default value

false

Description

Allow users to rw usb devices

user_tcp_server

Default value

false

Description

Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.

user_ttyfile_stat

Default value

false

Description

Allow w to display everyone

write_untrusted_content

Default value

false

Description

Allow applications to write untrusted content If this is disallowed, no Internet content will be stored.

xdm_sysadm_login

Default value

false

Description

Allow xdm logins as sysadm