policy/global_tunables

   1 #
   2 # This file is for the declaration of global tunables.
   3 # To change the default value at build time, the booleans.conf
   4 # file should be used.
   5 #
   6
   7 ## <desc>
   8 ## <p>
   9 ## Allow making the heap executable.
  10 ## </p>
  11 ## </desc>
  12 gen_tunable(allow_execheap,false)
  13
  14 ## <desc>
  15 ## <p>
  16 ## Allow making anonymous memory executable, e.g.
  17 ## for runtime-code generation or executable stack.
  18 ## </p>
  19 ## </desc>
  20 gen_tunable(allow_execmem,false)
  21
  22 ## <desc>
  23 ## <p>
  24 ## Allow making a modified private file
  25 ## mapping executable (text relocation).
  26 ## </p>
  27 ## </desc>
  28 gen_tunable(allow_execmod,false)
  29
  30 ## <desc>
  31 ## <p>
  32 ## Allow making the stack executable via mprotect.
  33 ## Also requires allow_execmem.
  34 ## </p>
  35 ## </desc>
  36 gen_tunable(allow_execstack,false)
  37
  38 ## <desc>
  39 ## <p>
  40 ## Enable polyinstantiated directory support.
  41 ## </p>
  42 ## </desc>
  43 gen_tunable(allow_polyinstantiation,false)
  44
  45 ## <desc>
  46 ## <p>
  47 ## Allow system to run with NIS
  48 ## </p>
  49 ## </desc>
  50 gen_tunable(allow_ypbind,false)
  51
  52 ## <desc>
  53 ## <p>
  54 ## Enable reading of urandom for all domains.
  55 ## </p>
  56 ## <p>
  57 ## This should be enabled when all programs
  58 ## are compiled with ProPolice/SSP
  59 ## stack smashing protection.  All domains will
  60 ## be allowed to read from /dev/urandom.
  61 ## </p>
  62 ## </desc>
  63 gen_tunable(global_ssp,false)
  64
  65 ## <desc>
  66 ## <p>
  67 ## Allow email client to various content.
  68 ## nfs, samba, removable devices, user temp
  69 ## and untrusted content files
  70 ## </p>
  71 ## </desc>
  72 gen_tunable(mail_read_content,false)
  73
  74 ## <desc>
  75 ## <p>
  76 ## Allow nfs to be exported read/write.
  77 ## </p>
  78 ## </desc>
  79 gen_tunable(nfs_export_all_rw,false)
  80
  81 ## <desc>
  82 ## <p>
  83 ## Allow nfs to be exported read only
  84 ## </p>
  85 ## </desc>
  86 gen_tunable(nfs_export_all_ro,false)
  87
  88 ## <desc>
  89 ## <p>
  90 ## Allow reading of default_t files.
  91 ## </p>
  92 ## </desc>
  93 gen_tunable(read_default_t,false)
  94
  95 ## <desc>
  96 ## <p>
  97 ## Allow applications to read untrusted content
  98 ## If this is disallowed, Internet content has
  99 ## to be manually relabeled for read access to be granted
 100 ## </p>
 101 ## </desc>
 102 gen_tunable(read_untrusted_content,false)
 103
 104 ## <desc>
 105 ## <p>
 106 ## Support NFS home directories
 107 ## </p>
 108 ## </desc>
 109 gen_tunable(use_nfs_home_dirs,false)
 110
 111 ## <desc>
 112 ## <p>
 113 ## Support SAMBA home directories
 114 ## </p>
 115 ## </desc>
 116 gen_tunable(use_samba_home_dirs,false)
 117
 118 ## <desc>
 119 ## <p>
 120 ## Allow users to run TCP servers (bind to ports and accept connection from
 121 ## the same domain and outside users)  disabling this forces FTP passive mode
 122 ## and may change other protocols.
 123 ## </p>
 124 ## </desc>
 125 gen_tunable(user_tcp_server,false)
 126
 127 ## <desc>
 128 ## <p>
 129 ## Allow applications to write untrusted content
 130 ## If this is disallowed, no Internet content
 131 ## will be stored.
 132 ## </p>
 133 ## </desc>
 134 gen_tunable(write_untrusted_content,false)