2 # This file is for the declaration of global tunables.
3 # To change the default value at build time, the booleans.conf
9 ## Allow making the heap executable.
12 gen_tunable(allow_execheap,false)
16 ## Allow making anonymous memory executable, e.g.
17 ## for runtime-code generation or executable stack.
20 gen_tunable(allow_execmem,false)
24 ## Allow making a modified private file
25 ## mapping executable (text relocation).
28 gen_tunable(allow_execmod,false)
32 ## Allow making the stack executable via mprotect.
33 ## Also requires allow_execmem.
36 gen_tunable(allow_execstack,false)
40 ## Enable polyinstantiated directory support.
43 gen_tunable(allow_polyinstantiation,false)
47 ## Allow system to run with NIS
50 gen_tunable(allow_ypbind,false)
54 ## Enable reading of urandom for all domains.
57 ## This should be enabled when all programs
58 ## are compiled with ProPolice/SSP
59 ## stack smashing protection. All domains will
60 ## be allowed to read from /dev/urandom.
63 gen_tunable(global_ssp,false)
67 ## Allow email client to various content.
68 ## nfs, samba, removable devices, user temp
69 ## and untrusted content files
72 gen_tunable(mail_read_content,false)
76 ## Allow nfs to be exported read/write.
79 gen_tunable(nfs_export_all_rw,false)
83 ## Allow nfs to be exported read only
86 gen_tunable(nfs_export_all_ro,false)
90 ## Allow reading of default_t files.
93 gen_tunable(read_default_t,false)
97 ## Allow applications to read untrusted content
98 ## If this is disallowed, Internet content has
99 ## to be manually relabeled for read access to be granted
102 gen_tunable(read_untrusted_content,false)
106 ## Support NFS home directories
109 gen_tunable(use_nfs_home_dirs,false)
113 ## Support SAMBA home directories
116 gen_tunable(use_samba_home_dirs,false)
120 ## Allow users to run TCP servers (bind to ports and accept connection from
121 ## the same domain and outside users) disabling this forces FTP passive mode
122 ## and may change other protocols.
125 gen_tunable(user_tcp_server,false)
129 ## Allow applications to write untrusted content
130 ## If this is disallowed, no Internet content
134 gen_tunable(write_untrusted_content,false)