#
# This file is for the declaration of global tunables.
# To change the default value at build time, the booleans.conf
# file should be used.
#

## <desc>
## <p>
## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execheap,false)

## <desc>
## <p>
## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execmem,false)

## <desc>
## <p>
## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
## </p>
## </desc>
gen_tunable(allow_execmod,false)

## <desc>
## <p>
## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execstack,false)

## <desc>
## <p>
## Enable polyinstantiated directory support.
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)

## <desc>
## <p>
## Allow system to run with NIS
## </p>
## </desc>
gen_tunable(allow_ypbind,false)

## <desc>
## <p>
## Enable reading of urandom for all domains.
## </p>
## <p>
## This should be enabled when all programs
## are compiled with ProPolice/SSP
## stack smashing protection.  All domains will
## be allowed to read from /dev/urandom.
## </p>
## </desc>
gen_tunable(global_ssp,false)

## <desc>
## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_rw,false)

## <desc>
## <p>
## Allow any files/directories to be exported read/only via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_ro,false)

## <desc>
## <p>
## Support NFS home directories
## </p>
## </desc>
gen_tunable(use_nfs_home_dirs,false)

## <desc>
## <p>
## Support SAMBA home directories
## </p>
## </desc>
gen_tunable(use_samba_home_dirs,false)

## <desc>
## <p>
## Support fusefs home directories
## </p>
## </desc>
gen_tunable(use_fusefs_home_dirs,false)

## <desc>
## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users)  disabling this forces FTP passive mode
## and may change other protocols.
## </p>
## </desc>
gen_tunable(user_tcp_server,false)

## <desc>
## <p>
## Allow direct login to the console device. Required for System 390
## </p>
## </desc>
gen_tunable(allow_console_login,false)