diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 23b4e59..7ee01bc 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -1,16 +1,95 @@
+##
+## Allow execution of anonymous mappings, e.g. executable stack.
+##
+gen_tunable(allow_execmem,false)
+
+##
+## Support Share libraries with text relocations
+##
+gen_tunable(allow_execmod,false)
+
+##
+## Allow system to run with kerberos
+##
+gen_tunable(allow_kerberos,false)
+
+##
+## Allow system to run with NIS
+##
+gen_tunable(allow_ypbind,false)
+
+##
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+##
+gen_tunable(cron_can_relabel,false)
+
##
## Enable extra rules in the cron domain
## to support fcron.
##
gen_tunable(fcron_crond,false)
+##
+## Allow reading of default_t files.
+##
+gen_tunable(read_default_t,false)
+
+##
+## Allow staff_r users to search the sysadm home
+## dir and read files (such as ~/.bashrc)
+##
+gen_tunable(staff_read_sysadm_file,false)
+
##
## Allow the use of DNS for name resolution.
##
gen_tunable(use_dns,false)
-##
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
+##
+## Support NFS home directories
##
-gen_tunable(cron_can_relabel,false)
+gen_tunable(use_nfs_home_dirs,false)
+
+##
+## Support SAMBA home directories
+##
+gen_tunable(use_samba_home_dirs,false)
+
+##
+## Allow regular users direct mouse access
+##
+gen_tunable(user_direct_mouse,false)
+
+##
+## Allow users to read system messages.
+##
+gen_tunable(user_dmesg,false)
+
+##
+## Allow users to control network interfaces
+## (also needs USERCTL=true)
+##
+gen_tunable(user_net_control,false)
+
+##
+## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
+##
+gen_tunable(user_rw_noexattrfile,false)
+
+##
+## Allow users to rw usb devices
+##
+gen_tunable(user_rw_usb,false)
+
+##
+## Allow users to run TCP servers (bind to ports and accept connection from
+## the same domain and outside users) disabling this forces FTP passive mode
+## and may change other protocols.
+##
+gen_tunable(user_tcp_server,false)
+
+##
+## Allow w to display everyone
+##
+gen_tunable(user_ttyfile_stat,false)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 90253f6..5582b7a 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -174,36 +174,36 @@ define(`base_user_domain',`
mta_rw_spool($1_t)
- if (allow_execmem) {
+ tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
- }
+ ')
- if (use_nfs_home_dirs) {
+ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
fs_manage_nfs_symlinks($1_t)
fs_manage_nfs_named_sockets($1_t)
fs_manage_nfs_named_pipes($1_t)
fs_execute_nfs_files($1_t)
- }
+ ')
- if (use_samba_home_dirs) {
+ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_t)
fs_manage_cifs_files($1_t)
fs_manage_cifs_symlinks($1_t)
fs_manage_cifs_named_sockets($1_t)
fs_manage_cifs_named_pipes($1_t)
fs_execute_cifs_files($1_t)
- }
+ ')
- if (user_direct_mouse) {
+ tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
- }
+ ')
- if (user_ttyfile_stat) {
+ tunable_policy(`user_ttyfile_stat',`
term_getattr_all_user_ttys($1_t)
- }
+ ')
optional_policy(`usermanage.te',`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -478,18 +478,18 @@ define(`user_domain_template', `
# so it can be used without privilege to write real binary policy file
selinux_exec_checkpol($1_t)
- if (user_dmesg) {
+ tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
- } else {
+ ',`
kernel_dontaudit_read_ring_buffer($1_t)
- }
+ ')
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
- if (user_tcp_server) {
+ tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_port($1_t)
- }
+ ')
# for running depmod as part of the kernel packaging process
optional_policy(`modutils.te',`
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 003cb57..751d6e9 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -26,54 +26,6 @@ attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
-# Allow execution of anonymous mappings, e.g. executable stack.
-bool allow_execmem false;
-
-# Support Share libraries with Text Relocation
-bool allow_execmod false;
-
-# Allow system to run with kerberos
-bool allow_kerberos false;
-
-# Allow system to run with NIS
-bool allow_ypbind false;
-
-# Allow reading of default_t files.
-bool read_default_t false;
-
-# Allow staff_r users to search the sysadm home dir and read
-# files (such as ~/.bashrc)
-bool staff_read_sysadm_file false;
-
-# Support NFS home directories
-bool use_nfs_home_dirs false;
-
-# Support SAMBA home directories
-bool use_samba_home_dirs false;
-
-# Allow regular users direct mouse access
-bool user_direct_mouse false;
-
-# Allow users to read system messages.
-bool user_dmesg false;
-
-# Allow users to control network interfaces (also needs USERCTL=true)
-bool user_net_control false;
-
-# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
-bool user_rw_noexattrfile false;
-
-# Allow users to rw usb devices
-bool user_rw_usb false;
-
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users) disabling this forces FTP passive mode
-# and may change other protocols
-bool user_tcp_server false;
-
-# Allow w to display everyone
-bool user_ttyfile_stat false;
-
admin_domain_template(sysadm)
user_domain_template(staff)
user_domain_template(user)