Allow cvs daemon to read shadow

Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")

Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")

Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.

Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.

Allow ftp servers to use cifs used for public file transfer services.

Allow ftp servers to use nfs used for public file transfer services.

Allow gssd to read temp directory. For access to kerberos tgt.

Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.

Allow Apache to use mod_auth_pam

Allow java executable stack

Allow confined applications to run with kerberos.

Allow the mount command to mount any directory or file.

Allow mplayer executable stack

Allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Enable polyinstantiated directory support.

Allow sysadm to debug or ptrace all processes.

Allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

Allow sasl to read shadow

Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.

allow host key based authentication

Allow users to connect to mysql

Allow users to connect to PostgreSQL

Allows clients to write to the X server shared memory segments.

Allow system to run with NIS

Allow zebra daemon to write it configuration files

Allow users to resolve user passwd entries directly from ldap rather then using a sssd server

Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files

Allow clamd to use JIT compiler

Allow Cobbler to modify public files used for public file transfer services.

Allow logging in and using the system from /dev/console.

Allow system cron jobs to relabel filesystem for restoring file contexts.

Allow dbadm to manage files in users home directories

Allow dbadm to read files in users home directories

Allow DHCP daemon to use LDAP backends

Allow the use of the audio devices as the source for the entropy feeds

Allow exim to connect to databases (postgres, mysql)

Allow exim to create, read, write, and delete unprivileged user files.

Allow exim to read unprivileged user files.

Enable extra rules in the cron domain to support fcron.

Allow fenced domain to connect to the network using TCP.

Allow ftp to read and write files in the user home directories

Determine whether Git CGI can search home directories.

Determine whether Git CGI can access cifs file systems.

Determine whether Git CGI can access nfs file systems.

Determine whether Git session daemons can send syslog messages.

Determine whether calling user domains can execute Git daemon in the git_session_t domain.

Determine whether Git system daemon can search home directories.

Determine whether Git system daemon can access cifs file systems.

Determine whether Git system daemon can access nfs file systems.

Enable reading of urandom for all domains.

This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.

Allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files.

Allow httpd to use built in scripting (usually php)

Allow HTTPD scripts and modules to connect to the network using TCP.

Allow HTTPD scripts and modules to connect to databases over the network.

Allow httpd to act as a relay

Allow http daemon to send mail

Allow Apache to communicate with avahi service via dbus

Allow httpd cgi support

Allow httpd to act as a FTP server by listening on the ftp port.

Allow httpd to read home directories

Allow httpd daemon to change its resource limits

Allow HTTPD to run SSI executables in the same domain as system CGI scripts.

Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.

Unify HTTPD handling of all content files.

Allow httpd to access cifs file systems

Allow httpd to run gpg

Allow httpd to access nfs file systems

Enable support for upstart as the init program.

Allow email client to various content. nfs, samba, removable devices, and user temp files

Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.

Allow confined web browsers to read home directory content

Allow mysqld to connect to all ports

Allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers.

Allow any files/directories to be exported read/only via NFS.

Allow any files/directories to be exported read/write via NFS.

Allow openvpn to read home directories

Allow the portage domains to use NFS mounts (regular nfs_t)

Allow pppd to load kernel modules for certain modems

Allow pppd to be run for a regular user

Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports.

Allow Puppet client to manage all file types.

Allow qemu to connect fully to the network

Allow qemu to use cifs/Samba file systems

Allow qemu to use serial/parallel communication ports

Allow qemu to use nfs file systems

Allow qemu to use usb devices

Allow racoon to read shadow

Allow rgmanager domain to connect to the network using TCP.

Allow rsync to export any files/directories read only.

Allow samba to create new home directories (e.g. via PAM)

Allow samba to act as the domain controller, add users, groups and change passwords.

Allow samba to share users home directories.

Allow samba to share any file/directory read only.

Allow samba to share any file/directory read/write.

Allow samba to run unconfined scripts

Allow samba to export ntfs/fusefs volumes.

Allow samba to export NFS volumes.

Allow confined virtual guests to manage nfs files

Allow confined virtual guests to manage cifs files

Allow unprived users to execute DDL statement

Allow transmit client label to foreign database

Allow database admins to execute DML statement

Allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.

Allow sftp-internal to read and write files in the user home directories

Allow sftp-internal to login to local users and read/write all files on the system, governed by DAC.

Enable additional permissions needed to support devices on 3ware controllers.

Allow user spamassassin clients to use the network.

Allow spamd to read/write user home directories.

Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports.

Allow squid to run as a transparent proxy (TPROXY)

Allow ssh logins as sysadm_r:sysadm_t

Allow the Telepathy connection managers to connect to any network port.

Allow the Telepathy connection managers to connect to any generic TCP port.

Allow tftp to modify public files used for public file transfer services.

Allow tor daemon to bind tcp sockets to all unreserved ports.

Use lpd server instead of cups

Support NFS home directories

Support SAMBA home directories

Allow regular users direct mouse access

Allow users to read system messages.

Control users use of ping and traceroute

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.

Allow w to display everyone

Allow varnishd to connect to all ports, not just HTTP.

Ignore vbetool mmap_zero errors.

Allow virt to use serial/parallell communication ports

Allow virt to read fuse files

Allow virt to manage nfs files

Allow virt to manage cifs files

Allow virt to manage device configuration, (pci)

Allow virt to use usb devices

Allow webadm to manage files in users home directories

Allow webadm to read files in users home directories

Ignore wine mmap_zero errors.

Allow xdm logins as sysadm

Allow xen to manage nfs files

Allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images.

Allow xend to run qemu-dm. Not required if using paravirt and no vfb.

Allow xguest to configure Network Manager

Allow xguest users to mount removable media

Allow xguest to use blue tooth devices

Support X userspace object manager