Security Enhanced Linux Reference Policy

Global tunables:

allow_execmem

Default value

false

Description

Allow execution of anonymous mappings, e.g. executable stack.

allow_execmod

Default value

false

Description

Support Share libraries with text relocations

allow_gpg_execstack

Default value

false

Description

Allow gpg executable stack

allow_kerberos

Default value

false

Description

Allow system to run with kerberos

allow_user_mysql_connect

Default value

false

Description

Allow users to connect to mysql

allow_ypbind

Default value

false

Description

Allow system to run with NIS

cron_can_relabel

Default value

false

Description

Allow system cron jobs to relabel filesystem for restoring file contexts.

fcron_crond

Default value

false

Description

Enable extra rules in the cron domain to support fcron.

named_write_master_zones

Default value

false

Description

Allow BIND to write the master zone files. Generally this is used for dynamic DNS.

read_default_t

Default value

false

Description

Allow reading of default_t files.

run_ssh_inetd

Default value

false

Description

Allow ssh to run from inetd instead of as a daemon.

ssh_sysadm_login

Default value

false

Description

Allow ssh logins as sysadm_r:sysadm_t

staff_read_sysadm_file

Default value

false

Description

Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)

use_dns

Default value

false

Description

Allow the use of DNS for name resolution.

use_nfs_home_dirs

Default value

false

Description

Support NFS home directories

use_samba_home_dirs

Default value

false

Description

Support SAMBA home directories

user_direct_mouse

Default value

false

Description

Allow regular users direct mouse access

user_dmesg

Default value

false

Description

Allow users to read system messages.

user_net_control

Default value

false

Description

Allow users to control network interfaces (also needs USERCTL=true)

user_ping

Default value

false

Description

Control users use of ping and traceroute

user_rw_noexattrfile

Default value

false

Description

Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)

user_rw_usb

Default value

false

Description

Allow users to rw usb devices

user_tcp_server

Default value

false

Description

Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.

user_ttyfile_stat

Default value

false

Description

Allow w to display everyone