#
# This file is for the declaration of global tunables.
# To change the default value at build time, the booleans.conf
# file should be used.
#

########################################
#
# Common tunables
#

## <desc>
## <p>
## Allow making the heap executable.
## </p>
## </desc>
gen_tunable(allow_execheap,false)

## <desc>
## <p>
## Allow making anonymous memory executable, e.g. 
## for runtime-code generation or executable stack.
## </p>
## </desc>
gen_tunable(allow_execmem,false)

## <desc>
## <p>
## Allow making a modified private file
## mapping executable (text relocation).
## </p>
## </desc>
gen_tunable(allow_execmod,false)

## <desc>
## <p>
## Allow making the stack executable via mprotect.
## Also requires allow_execmem.
## </p>
## </desc>
gen_tunable(allow_execstack,false)

## <desc>
## <p>
## Enable polyinstantiated directory support.
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)

## <desc>
## <p>
## Allow system to run with NIS
## </p>
## </desc>
gen_tunable(allow_ypbind,false)

## <desc>
## <p>
## Enable reading of urandom for all domains.
## </p>
## <p>
## This should be enabled when all programs
## are compiled with ProPolice/SSP
## stack smashing protection.  All domains will
## be allowed to read from /dev/urandom.
## </p>
## </desc>
gen_tunable(global_ssp,false)

## <desc>
## <p>
## Allow nfs to be exported read/write.
## </p>
## </desc>
gen_tunable(nfs_export_all_rw,false)

## <desc>
## <p>
## Allow nfs to be exported read only
## </p>
## </desc>
gen_tunable(nfs_export_all_ro,false)

## <desc>
## <p>
## Allow reading of default_t files.
## </p>
## </desc>
gen_tunable(read_default_t,false)

## <desc>
## <p>
## Support NFS home directories
## </p>
## </desc>
gen_tunable(use_nfs_home_dirs,false)

## <desc>
## <p>
## Support SAMBA home directories
## </p>
## </desc>
gen_tunable(use_samba_home_dirs,false)

########################################
#
# Strict policy specific
#

ifdef(`strict_policy',`
## <desc>
## <p>
## Allow email client to various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
## </p>
## </desc>
gen_tunable(mail_read_content,false)

## <desc>
## <p>
## Allow applications to read untrusted content
## If this is disallowed, Internet content has
## to be manually relabeled for read access to be granted
## </p>
## </desc>
gen_tunable(read_untrusted_content,false)

## <desc>
## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users)  disabling this forces FTP passive mode
## and may change other protocols.
## </p>
## </desc>
gen_tunable(user_tcp_server,false)

## <desc>
## <p>
## Allow applications to write untrusted content
## If this is disallowed, no Internet content
## will be stored.
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)
')