Allow ABRT to modify public files used for public file transfer services.

Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts.

Determine whether abrt-handle-upload can modify public files used for public file transfer services in /var/spool/abrt-upload/.

Determine whether amavis can use JIT compiler.

Allow antivirus programs to read non security files on a system

Determine whether can antivirus programs use JIT compiler.

Allow users to resolve user passwd entries directly from ldap rather then using a sssd server

Allow users to login using a radius server

Allow users to login using a yubikey OTP server or challenge response mode

Determine whether awstats can purge httpd log files.

Determine whether boinc can execmem/execstack.

Determine whether cdrecord can read various content. nfs, samba, removable devices, user temp and untrusted content files

Determine whether clamscan can read all non-security files.

Determine whether clamscan can read user content files.

Determine whether can clamd use JIT compiler.

Allow cluster administrative domains to connect to the network using TCP.

Allow cluster administrative domains to manage all files on a system.

Allow cluster administrative cluster domains memcheck-amd64- to use executable memory

Determine whether Cobbler can modify public files used for public file transfer services.

Determine whether Cobbler can connect to the network using TCP.

Determine whether Cobbler can access cifs file systems.

Determine whether Cobbler can access nfs file systems.

Determine whether collectd can connect to the network using TCP.

Determine whether Condor can connect to the network using TCP.

Determine whether conman can connect to all TCP ports

Determine whether container can connect to all TCP ports.

Allow system cron jobs to relabel filesystem for restoring file contexts.

Allow system cronjob to be executed on on NFS, CIFS or FUSE filesystem.

Determine whether crond can execute jobs in the user domain as opposed to the the generic cronjob domain.

Allow cups execmem/execstack

Determine whether cvs can read shadow password files.

Allow all daemons to write corefiles to /

Enable cluster mode for daemons.

Allow all daemons to use tcp wrappers.

Allow all daemons the ability to read/write terminals

Determine whether dbadm can manage generic user files.

Determine whether dbadm can read generic user files.

Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla

Deny any process from ptracing or debugging any other processes.

Allow dhcpc client applications to execute iptables commands

Determine whether DHCP daemon can use LDAP backends.

Allow all domains to use other domains file descriptors

Allow all domains to have the kernel load modules

Determine whether entropyd can use audio devices as the source for the entropy feeds.

Determine whether exim can connect to databases.

Determine whether exim can create, read, write, and delete generic user content files.

Determine whether exim can read generic user content files.

Enable extra rules in the cron domain to support fcron.

Determine whether fenced can connect to the TCP network.

Determine whether fenced can use ssh.

Allow all domains to execute in fips_mode

Determine whether ftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Determine whether ftpd can connect to all unreserved ports.

Determine whether ftpd can connect to databases over the TCP network.

Determine whether ftpd can login to local users and can read and write all files on the system, governed by DAC.

Determine whether ftpd can use CIFS used for public file transfer services.

Allow ftpd to use ntfs/fusefs volumes.

Determine whether ftpd can use NFS used for public file transfer services.

Determine whether ftpd can bind to all unreserved ports for passive mode.

Determine whether Git CGI can search home directories.

Determine whether Git CGI can access cifs file systems.

Determine whether Git CGI can access nfs file systems.

Determine whether Git session daemon can bind TCP sockets to all unreserved ports.

Determine whether calling user domains can execute Git daemon in the git_session_t domain.

Determine whether Git system daemon can search home directories.

Determine whether Git system daemon can access cifs file systems.

Determine whether Git system daemon can access nfs file systems.

Determine whether Gitosis can send mail.

Determine whether glance-api can connect to all TCP ports

Allow glance domain to use executable memory and executable stack

Allow glance domain to manage fuse files

Enable reading of urandom for all domains.

This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.

Allow glusterfsd to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Allow glusterfsd to share any file/directory read only.

Allow glusterfsd to share any file/directory read/write.

Allow gpg web domain to modify public files used for public file transfer services.

Allow gssd to list tmp directories and read the kerberos credential cache.

Determine whether haproxy can connect to all TCP ports.

Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Allow httpd to use built in scripting (usually php)

Allow http daemon to check spam

Allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports

Allow httpd to connect to the ldap port

Allow http daemon to connect to mythtv

Allow http daemon to connect to zabbix

Allow HTTPD scripts and modules to connect to the network using TCP.

Allow HTTPD scripts and modules to connect to cobbler over the network.

Allow HTTPD scripts and modules to connect to databases over the network.

Allow httpd to connect to memcache server

Allow httpd to act as a relay

Allow http daemon to send mail

Allow Apache to communicate with avahi service via dbus

Allow Apache to communicate with sssd service via dbus

Dontaudit Apache to search dirs.

Allow httpd cgi support

Allow httpd to act as a FTP server by listening on the ftp port.

Allow httpd to read home directories

Allow httpd scripts and modules execmem/execstack

Allow HTTPD to connect to port 80 for graceful shutdown

Allow httpd processes to manage IPA content

Allow Apache to use mod_auth_ntlm_winbind

Allow Apache to use mod_auth_pam

Allow httpd to read user content

Allow httpd processes to run IPA helper.

Allow Apache to run preupgrade

Allow Apache to run in stickshift mode, not transition to passenger

Allow HTTPD scripts and modules to server cobbler files.

Allow httpd daemon to change its resource limits

Allow HTTPD to run SSI executables in the same domain as system CGI scripts.

Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.

Allow Apache to execute tmp content.

Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.

Unify HTTPD handling of all content files.

Allow httpd to access cifs file systems

Allow httpd to access FUSE file systems

Allow httpd to run gpg

Allow httpd to access nfs file systems

Allow httpd to access openstack ports

Allow httpd to connect to sasl

Allow Apache to query NS records

Determine whether icecast can listen on and connect to any TCP port.

Determine whether irc clients can listen on and connect to any unreserved TCP ports.

Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.

Determine whether java can make its stack executable.

Allow s-c-kdump to run bootloader in bootloader_t.

Allow confined applications to run with kerberos.

Allow ksmtuned to use cifs/Samba file systems

Allow ksmtuned to use nfs file systems

Allow syslogd daemon to send mail

Allow syslogd the ability to call nagios plugins. It is turned on by omprog rsyslog plugin.

Allow syslogd the ability to read/write terminals

Allow logging in and using the system from /dev/console.

Allow logrotate to read logs inside

Allow logrotate to manage nfs files

Determine whether logwatch can connect to mail over the network.

Determine whether lsmd_plugin can connect to all TCP ports.

Allow mailman to access FUSE file systems

Determine whether mcelog supports client mode.

Determine whether mcelog can execute scripts.

Determine whether mcelog can use all the user ttys.

Determine whether mcelog supports server mode.

Determine whether minidlna can read generic user content.

Control the ability to mmap a low area of the address space, as configured by /proc/sys/vm/mmap_min_addr.

Allow mock to read files in home directories.

Allow the mount commands to mount any directory or file.

Allow mozilla plugin domain to bind unreserved tcp/udp ports.

Allow mozilla plugin domain to connect to the network using TCP.

Allow mozilla plugin to use Bluejeans.

Allow mozilla plugin to support GPS.

Allow mozilla plugin to support spice protocols.

Allow confined web browsers to read home directory content

Determine whether mpd can traverse user home directories.

Determine whether mpd can use cifs file systems.

Determine whether mpd can use nfs file systems.

Determine whether mplayer can make its stack executable.

Allow mysqld to connect to all ports

Allow mysqld to connect to http port

Allow nagios run in conjunction with PNP4Nagios.

Allow nagios/nrpe to call sudo from NRPE utils scripts.

Determine whether Bind can bind tcp socket to http ports.

Determine whether Bind can write to master zone files. Generally this is used for dynamic DNS or zone transfers.

Determine whether neutron can connect to all TCP ports

Allow any files/directories to be exported read/only via NFS.

Allow any files/directories to be exported read/write via NFS.

Allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Allow system to run with NIS

Allow confined applications to use nscd shared memory.

Allow nsplugin code to connect to unreserved ports

Allow nsplugin code to execmem/execstack

Allow openshift to access nfs file systems without labels

Determine whether openvpn can connect to the TCP network.

Determine whether openvpn can read generic user home content files.

Allow openvpn to run unconfined scripts

Allow pacemaker memcheck-amd64- to use executable memory

Allow pcp to bind to all unreserved_ports

Allow pcp to read generic logs

Allow PowerDNS to connect to databases over the network.

Allow piranha-lvs domain to connect to the network using TCP.

Allow polipo to connect to all ports > 1023

Determine whether Polipo session daemon can bind tcp sockets to all unreserved ports.

Determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain.

Determine whether polipo can access cifs file systems.

Determine whether Polipo can access nfs file systems.

Enable polyinstantiated directory support.

Determine whether portage can use nfs filesystems.

Allow postfix_local domain full write access to mail_spool directories

Allow postgresql to use ssh and rsync for point-in-time recovery

Allow transmit client label to foreign database

Allow database admins to execute DML statement

Allow unprivileged users to execute DDL statement

Allow pppd to load kernel modules for certain modems

Allow pppd to be run for a regular user

Determine whether privoxy can connect to all tcp ports.

Permit to prosody to bind apache port. Need to be activated to use BOSH.

Allow Puppet client to manage all file types.

Allow Puppet master to use connect to MySQL and PostgreSQL database

Allow qemu to connect fully to the network

Allow qemu to use cifs/Samba file systems

Allow qemu to use serial/parallel communication ports

Allow qemu to use nfs file systems

Allow qemu to use usb devices

Allow racoon to read shadow

Allow rgmanager domain to connect to the network using TCP.

Allow rpcd_t to manage fuse files

Allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Allow rsync to run as a client

Allow rsync to export any files/directories read only.

Allow rsync server to manage all files/directories on the system.

Allow samba to create new home directories (e.g. via PAM)

Allow samba to act as the domain controller, add users, groups and change passwords.

Allow samba to share users home directories.

Allow samba to share any file/directory read only.

Allow samba to share any file/directory read/write.

Allow smbd to load libgfapi from gluster.

Allow samba to act as a portmapper

Allow samba to run unconfined scripts

Allow samba to export ntfs/fusefs volumes.

Allow samba to export NFS volumes.

Allow sanlock to read/write fuse files

Allow sanlock to manage nfs files

Allow sanlock to manage cifs files

Allow sasl to read shadow

Allow regular users direct dri device access

Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t

Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Allow users to connect to the local mysql server

Allow confined users the ability to execute the ping and traceroute commands.

Allow users to connect to PostgreSQL

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

Allow user music sharing

Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.

Allow users to run UDP servers (bind to ports and accept connection from the same domain and outside users) disabling this may break avahi discovering services on the network and other udp related services.

Allow user to use ssh chroot environment.

Allow sge to connect to the network using any TCP port

Allow sge to access nfs file systems.

Determine whether smartmon can support devices on 3ware controllers.

Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Allow user spamassassin clients to use the network.

Allow spamd to read/write user home directories.

Allow spamd_update to connect to all ports.

Determine whether squid can connect to all TCP ports.

Determine whether squid can run as a transparent proxy.

Allow ssh with chroot env to read and write files in the user home directories

allow host key based authentication

Allow ssh logins as sysadm_r:sysadm_t

Determine whether sslh can listen on any tcp port or if it is restricted to the standard http.

Determine whether sslh can connect to any tcp port or if it is restricted to the standard http, openvpn and jabber ports.

allow staff user to create and transition to svirt domains.

Determine whether swift can connect to all TCP ports

Allow the Telepathy connection managers to connect to any network port.

Allow the Telepathy connection managers to connect to any generic TCP port.

Allow tftp to modify public files used for public file transfer services.

Allow tftp to read and write files in the user home directories

Determine whether tmpreaper can use cifs file systems.

Determine whether tmpreaper can use nfs file systems.

Determine whether tmpreaper can use samba_share files

Determine whether tor can bind tcp sockets to all unreserved ports.

Allow tor to act as a relay

allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox

Allow a user to login as an unconfined domain

Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.

Allow unprivileged user to create and transition to svirt domains.

Support ecryptfs home directories

Support fusefs home directories

Determine whether to support lpd server.

Support NFS home directories

Support SAMBA home directories

Determine whether varnishd can use the full TCP network.

Determine whether attempts by vbetool to mmap low regions should be silently blocked.

Allow qemu-ga to read qemu-ga date.

Allow qemu-ga to manage qemu-ga date.

Allow sandbox containers to use all capabilities

Allow sandbox containers to send audit messages

Allow sandbox containers manage fuse files

Allow sandbox containers to use mknod system calls

Allow sandbox containers to use netlink system calls

Allow sandbox containers to use sys_admin system calls, for example mount

Allow virtual processes to run as userdomains

Allow confined virtual guests to use serial/parallel communication ports

Allow confined virtual guests to use executable memory and executable stack

Allow confined virtual guests to read fuse files

Allow confined virtual guests to manage nfs files

Allow confined virtual guests to use smartcards

Allow confined virtual guests to interact with rawip sockets

Allow confined virtual guests to manage cifs files

Allow confined virtual guests to interact with the sanlock

Allow confined virtual guests to use usb devices

Allow confined virtual guests to interact with the xserver

Determine whether webadm can manage generic user files.

Determine whether webadm can read generic user files.

Determine whether attempts by wine to mmap low regions should be silently blocked.

Allows xdm_t to bind on vnc_port_t(5910)

Allow the graphical login program to execute bootloader

Allow the graphical login program to login directly as sysadm_r:sysadm_t

Allow the graphical login program to create files in HOME dirs as xdm_home_t.

Allow xen to manage nfs files

Allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images.

Allow xend to run qemu-dm. Not required if using paravirt and no vfb.

Allow xguest users to configure Network Manager and connect to apache ports

Allow xguest users to mount removable media

Allow xguest to use blue tooth devices

Allows clients to write to the X server shared memory segments.

Allows XServer to execute writable memory

Support X userspace object manager

Determine whether zabbix can connect to all TCP ports

Allow zarafa domains to setrlimit/sys_resource.

Allow zebra daemon to write it configuration files

Allow ZoneMinder to modify public files used for public file transfer services.

Allow ZoneMinder to run su/sudo.