diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 23b4e59..7ee01bc 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -1,16 +1,95 @@
+## <tunable name="allow_execmem" dftval="false">
+##	Allow execution of anonymous mappings, e.g. executable stack.
+## </tunable>
+gen_tunable(allow_execmem,false)
+
+## <tunable name="allow_execmod" dftval="false">
+##	Support Share libraries with text relocations
+## </tunable>
+gen_tunable(allow_execmod,false)
+
+## <tunable name="allow_kerberos" dftval="false">
+##	Allow system to run with kerberos
+## </tunable>
+gen_tunable(allow_kerberos,false)
+
+## <tunable name="allow_ypbind" dftval="false">
+##	Allow system to run with NIS
+## </tunable>
+gen_tunable(allow_ypbind,false)
+
+## <tunable name="cron_can_relabel" dftval="false">
+##	Allow system cron jobs to relabel filesystem
+##	for restoring file contexts.
+## </tunable>
+gen_tunable(cron_can_relabel,false)
+
 ## <tunable name="fcron_crond" dftval="false">
 ##	Enable extra rules in the cron domain
 ##	to support fcron.
 ## </tunable>
 gen_tunable(fcron_crond,false)
 
+## <tunable name="read_default_t" dftval="false">
+##	Allow reading of default_t files.
+## </tunable>
+gen_tunable(read_default_t,false)
+
+## <tunable name="staff_read_sysadm_file" dftval="false">
+##	Allow staff_r users to search the sysadm home 
+##	dir and read files (such as ~/.bashrc)
+## </tunable>
+gen_tunable(staff_read_sysadm_file,false)
+
 ## <tunable name="use_dns" dftval="false">
 ##	Allow the use of DNS for name resolution.
 ## </tunable>
 gen_tunable(use_dns,false)
 
-## <tunable name="cron_can_relabel" dftval="false">
-##	Allow system cron jobs to relabel filesystem
-##	for restoring file contexts.
+## <tunable name="use_nfs_home_dirs" dftval="false">
+##	Support NFS home directories
 ## </tunable>
-gen_tunable(cron_can_relabel,false)
+gen_tunable(use_nfs_home_dirs,false)
+
+## <tunable name="use_samba_home_dirs" dftval="false">
+##	Support SAMBA home directories
+## </tunable>
+gen_tunable(use_samba_home_dirs,false)
+
+## <tunable name="user_direct_mouse" dftval="false">
+##	Allow regular users direct mouse access 
+## </tunable>
+gen_tunable(user_direct_mouse,false)
+
+## <tunable name="user_dmesg" dftval="false">
+##	Allow users to read system messages.
+## </tunable>
+gen_tunable(user_dmesg,false)
+
+## <tunable name="user_net_control" dftval="false">
+##	Allow users to control network interfaces
+##	(also needs USERCTL=true)
+## </tunable>
+gen_tunable(user_net_control,false)
+
+## <tunable name="user_rw_noexattrfile" dftval="false">
+##	Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
+## </tunable>
+gen_tunable(user_rw_noexattrfile,false)
+
+## <tunable name="user_rw_usb" dftval="false">
+##	Allow users to rw usb devices
+## </tunable>
+gen_tunable(user_rw_usb,false)
+
+## <tunable name="user_tcp_server" dftval="false">
+##	Allow users to run TCP servers (bind to ports and accept connection from
+##	the same domain and outside users)  disabling this forces FTP passive mode
+##	and may change other protocols.
+## </tunable>
+gen_tunable(user_tcp_server,false)
+
+## <tunable name="user_ttyfile_stat" dftval="false">
+##	Allow w to display everyone
+## </tunable>
+gen_tunable(user_ttyfile_stat,false)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 90253f6..5582b7a 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -174,36 +174,36 @@ define(`base_user_domain',`
 
 	mta_rw_spool($1_t)
 
-	if (allow_execmem) {
+	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
-	}
+	')
 
-	if (use_nfs_home_dirs) {
+	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_t)
 		fs_manage_nfs_files($1_t)
 		fs_manage_nfs_symlinks($1_t)
 		fs_manage_nfs_named_sockets($1_t)
 		fs_manage_nfs_named_pipes($1_t)
 		fs_execute_nfs_files($1_t)
-	}
+	')
 
-	if (use_samba_home_dirs) {
+	tunable_policy(`use_samba_home_dirs',`
 		fs_manage_cifs_dirs($1_t)
 		fs_manage_cifs_files($1_t)
 		fs_manage_cifs_symlinks($1_t)
 		fs_manage_cifs_named_sockets($1_t)
 		fs_manage_cifs_named_pipes($1_t)
 		fs_execute_cifs_files($1_t)
-	}
+	')
 
-	if (user_direct_mouse) {
+	tunable_policy(`user_direct_mouse',`
 		dev_read_mouse($1_t)
-	}
+	')
 
-	if (user_ttyfile_stat) {
+	tunable_policy(`user_ttyfile_stat',`
 		term_getattr_all_user_ttys($1_t)
-	}
+	')
 
 	optional_policy(`usermanage.te',`
 		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -478,18 +478,18 @@ define(`user_domain_template', `
 	# so it can be used without privilege to write real binary policy file
 	selinux_exec_checkpol($1_t)
 
-	if (user_dmesg) {
+	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
-	} else {
+	',`
 		kernel_dontaudit_read_ring_buffer($1_t)
-	}
+	')
 
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users)  disabling this forces FTP passive mode
 	# and may change other protocols
-	if (user_tcp_server) {
+	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_generic_port($1_t)
-	}
+	')
 
 	# for running depmod as part of the kernel packaging process
 	optional_policy(`modutils.te',`
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 003cb57..751d6e9 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -26,54 +26,6 @@ attribute userdomain;
 # unprivileged user domains
 attribute unpriv_userdomain;
 
-# Allow execution of anonymous mappings, e.g. executable stack.
-bool allow_execmem false;
-
-# Support Share libraries with Text Relocation
-bool allow_execmod false;
-
-# Allow system to run with kerberos
-bool allow_kerberos false;
-
-# Allow system to run with NIS
-bool allow_ypbind false;
-
-# Allow reading of default_t files.
-bool read_default_t false;
-
-# Allow staff_r users to search the sysadm home dir and read
-# files (such as ~/.bashrc)
-bool staff_read_sysadm_file false;
-
-# Support NFS home directories
-bool use_nfs_home_dirs false;
-
-# Support SAMBA home directories
-bool use_samba_home_dirs false;
-
-# Allow regular users direct mouse access 
-bool user_direct_mouse false;
-
-# Allow users to read system messages.
-bool user_dmesg false;
-
-# Allow users to control network interfaces (also needs USERCTL=true)
-bool user_net_control false;
-
-# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
-bool user_rw_noexattrfile false;
-
-# Allow users to rw usb devices
-bool user_rw_usb false;
-
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users)  disabling this forces FTP passive mode
-# and may change other protocols 
-bool user_tcp_server false;
-
-# Allow w to display everyone
-bool user_ttyfile_stat false;
-
 admin_domain_template(sysadm)
 user_domain_template(staff)
 user_domain_template(user)