# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.

# 

allow_execmem = false

# Allow making a modified private filemapping executable (text relocation).

# 

allow_execmod = false

# Allow making the stack executable via mprotect.Also requires allow_execmem.

# 

allow_execstack = true

# Allow ftpd to read cifs directories.

# 

allow_ftpd_use_cifs = false

# Allow ftpd to read nfs directories.

# 

allow_ftpd_use_nfs = false

# Allow ftp servers to modify public filesused for public file transfer services.

# 

allow_ftpd_anon_write = false

# Allow gssd to read temp directory.

# 

allow_gssd_read_tmp = true

# Allow Apache to modify public filesused for public file transfer services.

# 

allow_httpd_anon_write = false

# Allow Apache to use mod_auth_pam module

# 

allow_httpd_mod_auth_pam = false

# Allow system to run with kerberos

# 

allow_kerberos = true

# Allow rsync to modify public filesused for public file transfer services.

# 

allow_rsync_anon_write = false

# Allow sasl to read shadow

# 

allow_saslauthd_read_shadow = false

# Allow samba to modify public filesused for public file transfer services.

# 

allow_smbd_anon_write = false

# Allow system to run with NIS

# 

allow_ypbind = false

# Allow zebra to write it own configuration files

# 

allow_zebra_write_config = false

# Enable extra rules in the cron domainto support fcron.

# 

fcron_crond = false

# Allow ftp to read and write files in the user home directories

# 

ftp_home_dir = false

#

# allow httpd to connect to mysql/posgresql 

httpd_can_network_connect_db = false

#

# allow httpd to send dbus messages to avahi

httpd_dbus_avahi = true

#

# allow httpd to network relay

httpd_can_network_relay = false

# Allow httpd to use built in scripting (usually php)

# 

httpd_builtin_scripting = true

# Allow http daemon to tcp connect

# 

httpd_can_network_connect = false

# Allow httpd cgi support

# 

httpd_enable_cgi = true

# Allow httpd to act as a FTP server bylistening on the ftp port.

# 

httpd_enable_ftp_server = false

# Allow httpd to read home directories

# 

httpd_enable_homedirs = false

# Run SSI execs in system CGI script domain.

# 

httpd_ssi_exec = false

# Allow http daemon to communicate with the TTY

# 

httpd_tty_comm = false

# Run CGI in the main httpd domain

# 

httpd_unified = false

# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.

# 

named_write_master_zones = false

# Allow nfs to be exported read/write.

# 

nfs_export_all_rw = true

# Allow nfs to be exported read only

# 

nfs_export_all_ro = true

# Allow pppd to load kernel modules for certain modems

# 

pppd_can_insmod = false

# Allow reading of default_t files.

# 

read_default_t = false

# Allow samba to export user home directories.

# 

samba_enable_home_dirs = false

# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.

# 

squid_connect_any = false

# Support NFS home directories

# 

use_nfs_home_dirs = true

# Support SAMBA home directories

# 

use_samba_home_dirs = false

# Control users use of ping and traceroute

# 

user_ping = false

# allow host key based authentication

# 

allow_ssh_keysign = false

# Allow pppd to be run for a regular user

# 

pppd_for_user = false

# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted

# 

read_untrusted_content = false

# Allow spamd to write to users homedirs

# 

spamd_enable_home_dirs = false

# Allow regular users direct mouse access

# 

user_direct_mouse = false

# Allow users to read system messages.

# 

user_dmesg = false

# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)

# 

user_rw_noexattrfile = false

# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.

# 

user_tcp_server = false

# Allow w to display everyone

# 

user_ttyfile_stat = false

# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.

# 

write_untrusted_content = false

# Allow all domains to talk to ttys

# 

allow_daemons_use_tty = false

# Allow login domains to polyinstatiate directories

# 

allow_polyinstantiation = false

# Allow all domains to dump core

# 

allow_daemons_dump_core = true

# Allow samba to act as the domain controller

# 

samba_domain_controller = false

# Allow samba to export user home directories.

# 

samba_run_unconfined = false

# Allows XServer to execute writable memory

# 

allow_xserver_execmem = false

# disallow guest accounts to execute files that they can create 

# 

allow_guest_exec_content = false

allow_xguest_exec_content = false

# Only allow browser to use the web

# 

browser_confine_xguest=false

# Allow postfix locat to write to mail spool

# 

allow_postfix_local_write_mail_spool=false

# Allow common users to read/write noexattrfile systems

# 

user_rw_noexattrfile=true

# Allow qemu to connect fully to the network

# 

qemu_full_network=true

# Allow nsplugin execmem/execstack for bad plugins

# 

allow_nsplugin_execmem=true

# Allow unconfined domain to transition to confined domain

# 

allow_unconfined_nsplugin_transition=true

# System uses init upstart program

# 

init_upstart = true

# Allow mount to mount any file/dir

# 

allow_mount_anyfile = true