# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = true # Allow making a modified private filemapping executable (text relocation). # allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # allow_execstack = true # Allow ftpd to read cifs directories. # allow_ftpd_use_cifs = false # Allow ftpd to read nfs directories. # allow_ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # allow_gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # allow_httpd_mod_auth_pam = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # allow_saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow system to run with NIS # allow_ypbind = false # Allow zebra to write it own configuration files # allow_zebra_write_config = true # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # Allow ftp to read and write files in the user home directories # ftp_home_dir = false # # allow httpd to connect to mysql/posgresql httpd_can_network_connect_db = false # # allow httpd to send dbus messages to avahi httpd_dbus_avahi = true # # allow httpd to network relay httpd_can_network_relay = false # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = true # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = true # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = true # Run CGI in the main httpd domain # httpd_unified = true # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = false # Allow nfs to be exported read/write. # nfs_export_all_rw = true # Allow nfs to be exported read only # nfs_export_all_ro = true ## Allow openvpn to read home directories ## openvpn_enable_homedirs = true # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Support NFS home directories # use_nfs_home_dirs = true # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = true # allow host key based authentication # allow_ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted # read_untrusted_content = false # Allow spamd to write to users homedirs # spamd_enable_home_dirs = true # Allow regular users direct mouse access # user_direct_mouse = false # Allow regular users direct dri access # user_direct_dri = true # Allow users to read system messages. # user_dmesg = false # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false # Allow w to display everyone # user_ttyfile_stat = false # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. # write_untrusted_content = false # Allow all domains to talk to ttys # allow_daemons_use_tty = true # Allow login domains to polyinstatiate directories # allow_polyinstantiation = false # Allow all domains to dump core # allow_daemons_dump_core = true # Allow samba to act as the domain controller # samba_domain_controller = false # Allow samba to export user home directories. # samba_run_unconfined = false # Allows XServer to execute writable memory # allow_xserver_execmem = false # disallow guest accounts to execute files that they can create # allow_guest_exec_content = false allow_xguest_exec_content = false # Only allow browser to use the web # browser_confine_xguest=false # Allow postfix locat to write to mail spool # allow_postfix_local_write_mail_spool=true # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile=true # Allow qemu to connect fully to the network # qemu_full_network=true # Allow nsplugin execmem/execstack for bad plugins # allow_nsplugin_execmem=true # Allow unconfined domain to transition to confined domain # allow_unconfined_nsplugin_transition=false # System uses init upstart program # init_upstart = true # Allow mount to mount any file/dir # allow_mount_anyfile = true # Allow confined domains to communicate with ncsd via shared memory # nscd_use_shm = true # Allow fenced domain to connect to the network using TCP. # fenced_can_network_connect=false # Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports. # privoxy_connect_any = true