Master tunable index:

Module: abrt

Layer: contrib

abrt_anon_write (Default: false)

Determine whether ABRT can modify public files used for public file transfer services.

Module: abrt

Layer: contrib

abrt_handle_event (Default: false)

Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts.

Module: abrt

Layer: contrib

abrt_upload_watch_anon_write (Default: true)

Determine whether abrt-handle-upload can modify public files used for public file transfer services in /var/spool/abrt-upload/.

Module: cvs

Layer: contrib

allow_cvs_read_shadow (Default: false)

Determine whether cvs can read shadow password files.

Global
allow_execheap (Default: false)

Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Global
allow_execmem (Default: false)

Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

Global
allow_execmod (Default: false)

Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")

Global
allow_execstack (Default: false)

Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")

Module: ftp

Layer: contrib

allow_ftpd_anon_write (Default: false)

Determine whether ftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: ftp

Layer: contrib

allow_ftpd_full_access (Default: false)

Determine whether ftpd can login to local users and can read and write all files on the system, governed by DAC.

Module: ftp

Layer: contrib

allow_ftpd_use_cifs (Default: false)

Determine whether ftpd can use CIFS used for public file transfer services.

Module: ftp

Layer: contrib

allow_ftpd_use_nfs (Default: false)

Determine whether ftpd can use NFS used for public file transfer services.

Module: rpc

Layer: contrib

allow_gssd_read_tmp (Default: false)

Determine whether gssd can read generic user temporary content.

Module: apache

Layer: contrib

allow_httpd_anon_write (Default: false)

Determine whether httpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: contrib

allow_httpd_mod_auth_pam (Default: false)

Determine whether httpd can use mod_auth_pam.

Module: java

Layer: contrib

allow_java_execstack (Default: false)

Determine whether java can make its stack executable.

Module: kerberos

Layer: contrib

allow_kerberos (Default: false)

Determine whether kerberos is supported.

Module: mount

Layer: system

allow_mount_anyfile (Default: false)

Allow the mount command to mount any directory or file.

Module: mplayer

Layer: contrib

allow_mplayer_execstack (Default: false)

Determine whether mplayer can make its stack executable.

Module: rpc

Layer: contrib

allow_nfsd_anon_write (Default: false)

Determine whether nfs can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Global
allow_polyinstantiation (Default: false)

Enable polyinstantiated directory support.

Module: sysadm

Layer: roles

allow_ptrace (Default: false)

Allow sysadm to debug or ptrace all processes.

Module: rsync

Layer: contrib

allow_rsync_anon_write (Default: false)

Determine whether rsync can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: sasl

Layer: contrib

allow_saslauthd_read_shadow (Default: false)

Determine whether sasl can read shadow files.

Module: samba

Layer: contrib

allow_smbd_anon_write (Default: false)

Determine whether samba can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: ssh

Layer: services

allow_ssh_keysign (Default: false)

allow host key based authentication

Module: userdomain

Layer: system

allow_user_mysql_connect (Default: false)

Allow users to connect to mysql

Module: userdomain

Layer: system

allow_user_postgresql_connect (Default: false)

Allow users to connect to PostgreSQL

Module: xserver

Layer: services

allow_write_xshm (Default: false)

Allows clients to write to the X server shared memory segments.

Global
allow_ypbind (Default: false)

Allow system to run with NIS

Module: zebra

Layer: contrib

allow_zebra_write_config (Default: false)

Determine whether zebra daemon can manage its configuration files.

Module: amavis

Layer: contrib

amavis_use_jit (Default: false)

Determine whether amavis can use JIT compiler.

Module: authlogin

Layer: system

authlogin_nsswitch_use_ldap (Default: false)

Allow users to resolve user passwd entries directly from ldap rather then using a sssd server

Module: awstats

Layer: contrib

awstats_purge_apache_log_files (Default: false)

Determine whether awstats can purge httpd log files.

Module: boinc

Layer: contrib

boinc_execmem (Default: true)

Determine whether boinc can execmem/execstack.

Module: cdrecord

Layer: contrib

cdrecord_read_content (Default: false)

Determine whether cdrecord can read various content. nfs, samba, removable devices, user temp and untrusted content files

Module: clamav

Layer: contrib

clamav_read_all_non_security_files_clamscan (Default: false)

Determine whether clamscan can read all non-security files.

Module: clamav

Layer: contrib

clamav_read_user_content_files_clamscan (Default: false)

Determine whether clamscan can read user content files.

Module: clamav

Layer: contrib

clamd_use_jit (Default: false)

Determine whether can clamd use JIT compiler.

Module: cobbler

Layer: contrib

cobbler_anon_write (Default: false)

Determine whether Cobbler can modify public files used for public file transfer services.

Module: cobbler

Layer: contrib

cobbler_can_network_connect (Default: false)

Determine whether Cobbler can connect to the network using TCP.

Module: cobbler

Layer: contrib

cobbler_use_cifs (Default: false)

Determine whether Cobbler can access cifs file systems.

Module: cobbler

Layer: contrib

cobbler_use_nfs (Default: false)

Determine whether Cobbler can access nfs file systems.

Module: collectd

Layer: contrib

collectd_tcp_network_connect (Default: false)

Determine whether collectd can connect to the network using TCP.

Module: condor

Layer: contrib

condor_tcp_network_connect (Default: false)

Determine whether Condor can connect to the network using TCP.

Global
console_login (Default: true)

Allow logging in and using the system from /dev/console.

Module: cron

Layer: contrib

cron_can_relabel (Default: false)

Determine whether system cron jobs can relabel filesystem for restoring file contexts.

Module: cron

Layer: contrib

cron_userdomain_transition (Default: false)

Determine whether crond can execute jobs in the user domain as opposed to the the generic cronjob domain.

Module: dbadm

Layer: contrib

dbadm_manage_user_files (Default: false)

Determine whether dbadm can manage generic user files.

Module: dbadm

Layer: contrib

dbadm_read_user_files (Default: false)

Determine whether dbadm can read generic user files.

Module: dhcp

Layer: contrib

dhcpd_use_ldap (Default: false)

Determine whether DHCP daemon can use LDAP backends.

Module: entropyd

Layer: contrib

entropyd_use_audio (Default: false)

Determine whether entropyd can use audio devices as the source for the entropy feeds.

Module: exim

Layer: contrib

exim_can_connect_db (Default: false)

Determine whether exim can connect to databases.

Module: exim

Layer: contrib

exim_manage_user_files (Default: false)

Determine whether exim can create, read, write, and delete generic user content files.

Module: exim

Layer: contrib

exim_read_user_files (Default: false)

Determine whether exim can read generic user content files.

Module: cron

Layer: contrib

fcron_crond (Default: false)

Determine whether extra rules should be enabled to support fcron.

Module: rhcs

Layer: contrib

fenced_can_network_connect (Default: false)

Determine whether fenced can connect to the TCP network.

Module: rhcs

Layer: contrib

fenced_can_ssh (Default: false)

Determine whether fenced can use ssh.

Module: ftp

Layer: contrib

ftp_home_dir (Default: false)

Determine whether ftpd can read and write files in user home directories.

Module: ftp

Layer: contrib

ftpd_connect_all_unreserved (Default: false)

Determine whether ftpd can connect to all unreserved ports.

Module: ftp

Layer: contrib

ftpd_connect_db (Default: false)

Determine whether ftpd can connect to databases over the TCP network.

Module: ftp

Layer: contrib

ftpd_use_passive_mode (Default: false)

Determine whether ftpd can bind to all unreserved ports for passive mode.

Module: git

Layer: contrib

git_cgi_enable_homedirs (Default: false)

Determine whether Git CGI can search home directories.

Module: git

Layer: contrib

git_cgi_use_cifs (Default: false)

Determine whether Git CGI can access cifs file systems.

Module: git

Layer: contrib

git_cgi_use_nfs (Default: false)

Determine whether Git CGI can access nfs file systems.

Module: git

Layer: contrib

git_session_bind_all_unreserved_ports (Default: false)

Determine whether Git session daemon can bind TCP sockets to all unreserved ports.

Module: git

Layer: contrib

git_session_send_syslog_msg (Default: false)

Determine whether Git session daemons can send syslog messages.

Module: git

Layer: contrib

git_session_users (Default: false)

Determine whether calling user domains can execute Git daemon in the git_session_t domain.

Module: git

Layer: contrib

git_system_enable_homedirs (Default: false)

Determine whether Git system daemon can search home directories.

Module: git

Layer: contrib

git_system_use_cifs (Default: false)

Determine whether Git system daemon can access cifs file systems.

Module: git

Layer: contrib

git_system_use_nfs (Default: false)

Determine whether Git system daemon can access nfs file systems.

Module: gitosis

Layer: contrib

gitosis_can_sendmail (Default: false)

Determine whether Gitosis can send mail.

Global
global_ssp (Default: false)

Enable reading of urandom for all domains.

This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.

Module: gpg

Layer: contrib

gpg_agent_env_file (Default: false)

Determine whether GPG agent can manage generic user home content files. This is required by the --write-env-file option.

Module: apache

Layer: contrib

httpd_builtin_scripting (Default: false)

Determine whether httpd can use built in scripting.

Module: apache

Layer: contrib

httpd_can_check_spam (Default: false)

Determine whether httpd can check spam.

Module: apache

Layer: contrib

httpd_can_network_connect (Default: false)

Determine whether httpd scripts and modules can connect to the network using TCP.

Module: apache

Layer: contrib

httpd_can_network_connect_cobbler (Default: false)

Determine whether httpd scripts and modules can connect to cobbler over the network.

Module: apache

Layer: contrib

httpd_can_network_connect_db (Default: false)

Determine whether scripts and modules can connect to databases over the network.

Module: apache

Layer: contrib

httpd_can_network_connect_ldap (Default: false)

Determine whether httpd can connect to ldap over the network.

Module: apache

Layer: contrib

httpd_can_network_connect_memcache (Default: false)

Determine whether httpd can connect to memcache server over the network.

Module: apache

Layer: contrib

httpd_can_network_connect_zabbix (Default: false)

Determine whether httpd daemon can connect to zabbix over the network.

Module: apache

Layer: contrib

httpd_can_network_relay (Default: false)

Determine whether httpd can act as a relay.

Module: apache

Layer: contrib

httpd_can_sendmail (Default: false)

Determine whether httpd can send mail.

Module: apache

Layer: contrib

httpd_dbus_avahi (Default: false)

Determine whether httpd can communicate with avahi service via dbus.

Module: apache

Layer: contrib

httpd_enable_cgi (Default: false)

Determine wether httpd can use support.

Module: apache

Layer: contrib

httpd_enable_ftp_server (Default: false)

Determine whether httpd can act as a FTP server by listening on the ftp port.

Module: apache

Layer: contrib

httpd_enable_homedirs (Default: false)

Determine whether httpd can traverse user home directories.

Module: apache

Layer: contrib

httpd_execmem (Default: false)

Determine whether httpd scripts and modules can use execmem and execstack.

Module: apache

Layer: contrib

httpd_gpg_anon_write (Default: false)

Determine whether httpd gpg can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: apache

Layer: contrib

httpd_graceful_shutdown (Default: false)

Determine whether httpd can connect to port 80 for graceful shutdown.

Module: apache

Layer: contrib

httpd_manage_ipa (Default: false)

Determine whether httpd can manage IPA content files.

Module: apache

Layer: contrib

httpd_mod_auth_ntlm_winbind (Default: false)

Determine whether httpd can use mod_auth_ntlm_winbind.

Module: apache

Layer: contrib

httpd_read_user_content (Default: false)

Determine whether httpd can read generic user home content files.

Module: apache

Layer: contrib

httpd_setrlimit (Default: false)

Determine whether httpd can change its resource limits.

Module: apache

Layer: contrib

httpd_ssi_exec (Default: false)

Determine whether httpd can run SSI executables in the same domain as system CGI scripts.

Module: apache

Layer: contrib

httpd_tmp_exec (Default: false)

Determine whether httpd can execute its temporary content.

Module: apache

Layer: contrib

httpd_tty_comm (Default: false)

Determine whether httpd can communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.

Module: apache

Layer: contrib

httpd_unified (Default: false)

Determine whether httpd can have full access to its content types.

Module: apache

Layer: contrib

httpd_use_cifs (Default: false)

Determine whether httpd can use cifs file systems.

Module: apache

Layer: contrib

httpd_use_fusefs (Default: false)

Determine whether httpd can use fuse file systems.

Module: apache

Layer: contrib

httpd_use_gpg (Default: false)

Determine whether httpd can use gpg.

Module: apache

Layer: contrib

httpd_use_nfs (Default: false)

Determine whether httpd can use nfs file systems.

Module: icecast

Layer: contrib

icecast_use_any_tcp_ports (Default: false)

Determine whether icecast can listen on and connect to any TCP port.

Module: init

Layer: system

init_upstart (Default: false)

Enable support for upstart as the init program.

Module: irc

Layer: contrib

irc_use_any_tcp_ports (Default: false)

Determine whether irc clients can listen on and connect to any unreserved TCP ports.

Module: logwatch

Layer: contrib

logwatch_can_network_connect_mail (Default: false)

Determine whether logwatch can connect to mail over the network.

Global
mail_read_content (Default: false)

Allow email client to various content. nfs, samba, removable devices, and user temp files

Module: mcelog

Layer: contrib

mcelog_client (Default: false)

Determine whether mcelog supports client mode.

Module: mcelog

Layer: contrib

mcelog_exec_scripts (Default: true)

Determine whether mcelog can execute scripts.

Module: mcelog

Layer: contrib

mcelog_foreground (Default: false)

Determine whether mcelog can use all the user ttys.

Module: mcelog

Layer: contrib

mcelog_server (Default: false)

Determine whether mcelog supports server mode.

Module: mcelog

Layer: contrib

mcelog_syslog (Default: false)

Determine whether mcelog can use syslog.

Module: minidlna

Layer: contrib

minidlna_read_generic_user_content (Default: false)

Determine whether minidlna can read generic user content.

Module: domain

Layer: kernel

mmap_low_allowed (Default: false)

Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.

Module: mozilla

Layer: contrib

mozilla_execstack (Default: false)

Determine whether mozilla can make its stack executable.

Module: mpd

Layer: contrib

mpd_enable_homedirs (Default: false)

Determine whether mpd can traverse user home directories.

Module: mpd

Layer: contrib

mpd_use_cifs (Default: false)

Determine whether mpd can use cifs file systems.

Module: mpd

Layer: contrib

mpd_use_nfs (Default: false)

Determine whether mpd can use nfs file systems.

Module: mysql

Layer: contrib

mysql_connect_any (Default: false)

Determine whether mysqld can connect to all TCP ports.

Module: bind

Layer: contrib

named_tcp_bind_http_port (Default: false)

Determine whether Bind can bind tcp socket to http ports.

Module: bind

Layer: contrib

named_write_master_zones (Default: false)

Determine whether Bind can write to master zone files. Generally this is used for dynamic DNS or zone transfers.

Global
nfs_export_all_ro (Default: false)

Allow any files/directories to be exported read/only via NFS.

Global
nfs_export_all_rw (Default: false)

Allow any files/directories to be exported read/write via NFS.

Module: nscd

Layer: contrib

nscd_use_shm (Default: false)

Determine whether confined applications can use nscd shared memory.

Module: openvpn

Layer: contrib

openvpn_can_network_connect (Default: false)

Determine whether openvpn can connect to the TCP network.

Module: openvpn

Layer: contrib

openvpn_enable_homedirs (Default: false)

Determine whether openvpn can read generic user home content files.

Module: polipo

Layer: contrib

polipo_session_send_syslog_msg (Default: false)

Determine whether Polipo session daemon can send syslog messages.

Module: polipo

Layer: contrib

polipo_session_users (Default: false)

Determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain.

Module: polipo

Layer: contrib

polipo_system_use_cifs (Default: false)

Determine whether Polipo system daemon can access CIFS file systems.

Module: polipo

Layer: contrib

polipo_system_use_nfs (Default: false)

Determine whether Polipo system daemon can access NFS file systems.

Module: portage

Layer: contrib

portage_use_nfs (Default: false)

Determine whether portage can use nfs filesystems.

Module: postfix

Layer: contrib

postfix_local_write_mail_spool (Default: true)

Determine whether postfix local can manage mail spool content.

Module: ppp

Layer: contrib

pppd_can_insmod (Default: false)

Determine whether pppd can load kernel modules.

Module: ppp

Layer: contrib

pppd_for_user (Default: false)

Determine whether common users can run pppd with a domain transition.

Module: privoxy

Layer: contrib

privoxy_connect_any (Default: false)

Determine whether privoxy can connect to all tcp ports.

Module: puppet

Layer: contrib

puppet_manage_all_files (Default: false)

Determine whether puppet can manage all non-security files.

Module: qemu

Layer: contrib

qemu_full_network (Default: false)

Determine whether qemu has full access to the network.

Module: ipsec

Layer: system

racoon_read_shadow (Default: false)

Allow racoon to read shadow

Module: rgmanager

Layer: contrib

rgmanager_can_network_connect (Default: false)

Determine whether rgmanager can connect to the network using TCP.

Module: rsync

Layer: contrib

rsync_client (Default: false)

Determine whether rsync can run as a client

Module: rsync

Layer: contrib

rsync_export_all_ro (Default: false)

Determine whether rsync can export all content read only.

Module: rsync

Layer: contrib

rsync_use_cifs (Default: false)

Determine whether rsync can use cifs file systems.

Module: rsync

Layer: contrib

rsync_use_fusefs (Default: false)

Determine whether rsync can use fuse file systems.

Module: rsync

Layer: contrib

rsync_use_nfs (Default: false)

Determine whether rsync can use nfs file systems.

Module: samba

Layer: contrib

samba_create_home_dirs (Default: false)

Determine whether samba can create home directories via pam.

Module: samba

Layer: contrib

samba_domain_controller (Default: false)

Determine whether samba can act as the domain controller, add users, groups and change passwords.

Module: samba

Layer: contrib

samba_enable_home_dirs (Default: false)

Determine whether samba can share users home directories.

Module: samba

Layer: contrib

samba_export_all_ro (Default: false)

Determine whether samba can share any content read only.

Module: samba

Layer: contrib

samba_export_all_rw (Default: false)

Determine whether samba can share any content readable and writable.

Module: samba

Layer: contrib

samba_portmapper (Default: false)

Determine whether samba can act as a portmapper.

Module: samba

Layer: contrib

samba_run_unconfined (Default: false)

Determine whether samba can run unconfined scripts.

Module: samba

Layer: contrib

samba_share_fusefs (Default: false)

Determine whether samba can use fuse file systems.

Module: samba

Layer: contrib

samba_share_nfs (Default: false)

Determine whether samba can use nfs file systems.

Module: sanlock

Layer: contrib

sanlock_use_nfs (Default: false)

Determine whether sanlock can use nfs file systems.

Module: sanlock

Layer: contrib

sanlock_use_samba (Default: false)

Determine whether sanlock can use cifs file systems.

Module: postgresql

Layer: services

sepgsql_enable_users_ddl (Default: false)

Allow unprived users to execute DDL statement

Module: postgresql

Layer: services

sepgsql_transmit_client_label (Default: false)

Allow transmit client label to foreign database

Module: postgresql

Layer: services

sepgsql_unconfined_dbadm (Default: false)

Allow database admins to execute DML statement

Module: ftp

Layer: contrib

sftpd_anon_write (Default: false)

Determine whether sftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: ftp

Layer: contrib

sftpd_enable_homedirs (Default: false)

Determine whether sftpd-can read and write files in user home directories.

Module: ftp

Layer: contrib

sftpd_full_access (Default: false)

Determine whether sftpd-can login to local users and read and write all files on the system, governed by DAC.

Module: ftp

Layer: contrib

sftpd_write_ssh_home (Default: false)

Determine whether sftpd can read and write files in user ssh home directories.

Module: smartmon

Layer: contrib

smartmon_3ware (Default: false)

Determine whether smartmon can support devices on 3ware controllers.

Module: spamassassin

Layer: contrib

spamassassin_can_network (Default: false)

Determine whether spamassassin clients can use the network.

Module: spamassassin

Layer: contrib

spamd_enable_home_dirs (Default: false)

Determine whether spamd can manage generic user home content.

Module: squid

Layer: contrib

squid_connect_any (Default: false)

Determine whether squid can connect to all TCP ports.

Module: squid

Layer: contrib

squid_use_tproxy (Default: false)

Determine whether squid can run as a transparent proxy.

Module: ssh

Layer: services

ssh_sysadm_login (Default: false)

Allow ssh logins as sysadm_r:sysadm_t

Module: ssh

Layer: services

ssh_use_gpg_agent (Default: false)

Allow ssh to use gpg-agent

Module: telepathy

Layer: contrib

telepathy_connect_all_ports (Default: false)

Determine whether telepathy connection managers can connect to any port.

Module: telepathy

Layer: contrib

telepathy_tcp_connect_generic_network_ports (Default: false)

Determine whether telepathy connection managers can connect to generic tcp ports.

Module: tftp

Layer: contrib

tftp_anon_write (Default: false)

Determine whether tftp can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Module: tftp

Layer: contrib

tftp_enable_homedir (Default: false)

Determine whether tftp can manage generic user home content.

Module: tor

Layer: contrib

tor_bind_all_unreserved_ports (Default: false)

Determine whether tor can bind tcp sockets to all unreserved ports.

Module: lpd

Layer: contrib

use_lpd_server (Default: false)

Determine whether to support lpd server.

Global
use_nfs_home_dirs (Default: false)

Support NFS home directories

Global
use_samba_home_dirs (Default: false)

Support SAMBA home directories

Module: userdomain

Layer: system

user_direct_mouse (Default: false)

Allow regular users direct mouse access

Module: userdomain

Layer: system

user_dmesg (Default: false)

Allow users to read system messages.

Module: netutils

Layer: admin

user_ping (Default: false)

Control users use of ping and traceroute

Module: userdomain

Layer: system

user_rw_noexattrfile (Default: false)

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

Global
user_tcp_server (Default: false)

Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.

Module: userdomain

Layer: system

user_ttyfile_stat (Default: false)

Allow w to display everyone

Module: varnishd

Layer: contrib

varnishd_connect_any (Default: false)

Determine whether varnishd can use the full TCP network.

Module: vbetool

Layer: contrib

vbetool_mmap_zero_ignore (Default: false)

Determine whether attempts by vbetool to mmap low regions should be silently blocked.

Module: virt

Layer: contrib

virt_use_comm (Default: false)

Determine whether confined virtual guests can use serial/parallel communication ports.

Module: virt

Layer: contrib

virt_use_execmem (Default: false)

Determine whether confined virtual guests can use executable memory and can make their stack executable.

Module: virt

Layer: contrib

virt_use_fusefs (Default: false)

Determine whether confined virtual guests can use fuse file systems.

Module: virt

Layer: contrib

virt_use_nfs (Default: false)

Determine whether confined virtual guests can use nfs file systems.

Module: virt

Layer: contrib

virt_use_samba (Default: false)

Determine whether confined virtual guests can use cifs file systems.

Module: virt

Layer: contrib

virt_use_sysfs (Default: false)

Determine whether confined virtual guests can manage device configuration.

Module: virt

Layer: contrib

virt_use_usb (Default: false)

Determine whether confined virtual guests can use usb devices.

Module: virt

Layer: contrib

virt_use_xserver (Default: false)

Determine whether confined virtual guests can interact with xserver.

Module: webadm

Layer: contrib

webadm_manage_user_files (Default: false)

Determine whether webadm can manage generic user files.

Module: webadm

Layer: contrib

webadm_read_user_files (Default: false)

Determine whether webadm can read generic user files.

Module: wine

Layer: contrib

wine_mmap_zero_ignore (Default: false)

Determine whether attempts by wine to mmap low regions should be silently blocked.

Module: xserver

Layer: services

xdm_sysadm_login (Default: false)

Allow xdm logins as sysadm

Module: xen

Layer: contrib

xen_use_fusefs (Default: false)

Determine whether xen can use fusefs file systems.

Module: xen

Layer: contrib

xen_use_nfs (Default: false)

Determine whether xen can use nfs file systems.

Module: xen

Layer: contrib

xen_use_samba (Default: false)

Determine whether xen can use samba file systems.

Module: xen

Layer: contrib

xend_run_blktap (Default: false)

Determine whether xend can run blktapctrl and tapdisk.

Module: xguest

Layer: contrib

xguest_connect_network (Default: false)

Determine whether xguest can configure network manager.

Module: xguest

Layer: contrib

xguest_mount_media (Default: false)

Determine whether xguest can mount removable media.

Module: xguest

Layer: contrib

xguest_use_bluetooth (Default: false)

Determine whether xguest can use blue tooth devices.

Module: xserver

Layer: services

xserver_object_manager (Default: false)

Support X userspace object manager

Module: zabbix

Layer: contrib

zabbix_can_network (Default: false)

Determine whether zabbix can connect to all TCP ports