## Allow cvs daemon to read shadow ##
#### Allow making the heap executable. ##
#### Allow making anonymous memory executable, e.g. ## for runtime-code generation or executable stack. ##
#### Allow making a modified private file ## mapping executable (text relocation). ##
#### Allow making the stack executable via mprotect. ## Also requires allow_execmem. ##
#### Allow ftp servers to modify public files ## used for public file transfer services. ##
#### Allow gssd to read temp directory. ##
#### Allow Apache to modify public files ## used for public file transfer services. ##
#### Allow java executable stack ##
#### Allow system to run with kerberos ##
#### Allow rsync to modify public files ## used for public file transfer services. ##
#### Allow sasl to read shadow ##
#### Allow samba to modify public files ## used for public file transfer services. ##
#### Allow sysadm to ptrace all processes ##
#### Allow system to run with NIS ##
#### Enable extra rules in the cron domain ## to support fcron. ##
#### Allow ftp to read and write files in the user home directories ##
#### Allow ftpd to run directly without inetd ##
#### Enable reading of urandom for all domains. ##
#### This should be enabled when all programs ## are compiled with ProPolice/SSP ## stack smashing protection. All domains will ## be allowed to read from /dev/urandom. ##
#### Allow httpd to use built in scripting (usually php) ##
#### Allow http daemon to tcp connect ##
#### Allow httpd to connect to mysql/posgresql ##
#### Allow httpd to act as a relay ##
#### Allow httpd cgi support ##
#### Allow httpd to act as a FTP server by ## listening on the ftp port. ##
#### Allow httpd to read home directories ##
#### Run SSI execs in system CGI script domain. ##
#### Allow http daemon to communicate with the TTY ##
#### Run CGI in the main httpd domain ##
#### Allow BIND to write the master zone files. ## Generally this is used for dynamic DNS. ##
#### Allow nfs to be exported read/write. ##
#### Allow nfs to be exported read only ##
#### Allow pppd to load kernel modules for certain modems ##
#### Allow reading of default_t files. ##
#### Allow ssh to run from inetd instead of as a daemon. ##
#### Allow samba to export user home directories. ##
#### Allow spamassassin to do DNS lookups ##
#### Allow squid to connect to all ports, not just ## HTTP, FTP, and Gopher ports. ##
#### Allow ssh logins as sysadm_r:sysadm_t ##
#### Configure stunnel to be a standalone daemon or ## inetd service. ##
#### Support NFS home directories ##
#### Support SAMBA home directories ##
#### Control users use of ping and traceroute ##
#### Allow gpg executable stack ##
#### Allow mplayer executable stack ##
#### allow host key based authentication ##
#### Allow users to connect to mysql ##
#### Allows clients to write to the X server shared ## memory segments. ##
#### Allow cdrecord to read various content. ## nfs, samba, removable devices, user temp ## and untrusted content files ##
#### Allow system cron jobs to relabel filesystem ## for restoring file contexts. ##
#### force to games to run in user_t ## mapping executable (text relocation). ##
#### Disable transitions to evolution domains. ##
#### Disable transitions to user mozilla domains ##
#### Disable transitions to user thunderbird domains ##
#### Allow email client to various content. ## nfs, samba, removable devices, user temp ## and untrusted content files ##
#### Control mozilla content access ##
#### Allow pppd to be run for a regular user ##
#### Allow applications to read untrusted content ## If this is disallowed, Internet content has ## to be manually relabeled for read access to be granted ##
#### Allow user spamassassin clients to use the network. ##
#### Allow staff_r users to search the sysadm home ## dir and read files (such as ~/.bashrc) ##
#### Allow regular users direct mouse access ##
#### Allow users to read system messages. ##
#### Allow users to control network interfaces ## (also needs USERCTL=true) ##
#### Allow user to r/w files on filesystems ## that do not have extended attributes (FAT, CDROM, FLOPPY) ##
#### Allow users to rw usb devices ##
#### Allow users to run TCP servers (bind to ports and accept connection from ## the same domain and outside users) disabling this forces FTP passive mode ## and may change other protocols. ##
#### Allow w to display everyone ##
#### Allow applications to write untrusted content ## If this is disallowed, no Internet content ## will be stored. ##
#### Allow xdm logins as sysadm ##
#### Allow spammd to read/write user home directories. ##
##