#
# This file is for the declaration of global tunables.
# To change the default value at build time, the booleans.conf
# file should be used.
#

## <desc>
## <p>
## Deny any process from ptracing or debugging any other processes.
## </p>
## </desc>
gen_tunable(deny_ptrace, false)

## <desc>
## <p>
## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(selinuxuser_execheap,false)

## <desc>
## <p>
## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(deny_execmem,false)

## <desc>
## <p>
## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
## </p>
## </desc>
gen_tunable(selinuxuser_execmod,false)

## <desc>
## <p>
## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(selinuxuser_execstack,false)

## <desc>
## <p>
## Enable polyinstantiated directory support.
## </p>
## </desc>
gen_tunable(polyinstantiation_enabled,false)

## <desc>
## <p>
## Allow system to run with NIS
## </p>
## </desc>
gen_tunable(nis_enabled,false)

## <desc>
## <p>
## Allow logging in and using the system from /dev/console.
## </p>
## </desc>
gen_tunable(login_console_enabled,true)

## <desc>
## <p>
## Enable reading of urandom for all domains.
## </p>
## <p>
## This should be enabled when all programs
## are compiled with ProPolice/SSP
## stack smashing protection.  All domains will
## be allowed to read from /dev/urandom.
## </p>
## </desc>
gen_tunable(global_ssp,false)

## <desc>
## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_rw,false)

## <desc>
## <p>
## Allow any files/directories to be exported read/only via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_ro,false)

## <desc>
## <p>
## Support NFS home directories
## </p>
## </desc>
gen_tunable(use_nfs_home_dirs,false)

## <desc>
## <p>
## Support SAMBA home directories
## </p>
## </desc>
gen_tunable(use_samba_home_dirs,false)

## <desc>
## <p>
## Support ecryptfs home directories
## </p>
## </desc>
gen_tunable(use_ecryptfs_home_dirs,false)

## <desc>
## <p>
## Support fusefs home directories
## </p>
## </desc>
gen_tunable(use_fusefs_home_dirs,false)

## <desc>
## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users)  disabling this forces FTP passive mode
## and may change other protocols.
## </p>
## </desc>
gen_tunable(selinuxuser_tcp_server,false)

## <desc>
## <p>
## Allow users to run UDP servers (bind to ports and accept connection from
## the same domain and outside users)  disabling this may break avahi 
## discovering services on the network and other udp related services.
## </p>
## </desc>
gen_tunable(selinuxuser_udp_server,false)

## <desc>
## <p>
## Allow the mount commands to mount any directory or file.
## </p>
## </desc>
gen_tunable(mount_anyfile, false)

## <desc>
## <p>
## Allow create vbox modules during startup new kernel.
## </p>
## </desc>
gen_tunable(use_virtualbox, false)

## <desc>
## <p>
## Deny all system processes and Linux users to use bluetooth wireless technology.
## </p>
## </desc>
gen_tunable(deny_bluetooth,false)