Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/doc/global_tunables.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/global_tunables.xml')
-rw-r--r--doc/global_tunables.xml108
1 files changed, 108 insertions, 0 deletions
diff --git a/doc/global_tunables.xml b/doc/global_tunables.xml
new file mode 100644
index 00000000..c026deaf
--- /dev/null
+++ b/doc/global_tunables.xml
@@ -0,0 +1,108 @@
+<tunable name="allow_execheap" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmem" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmod" dftval="false">
+<desc>
+<p>
+Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execstack" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_polyinstantiation" dftval="false">
+<desc>
+<p>
+Enable polyinstantiated directory support.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ypbind" dftval="false">
+<desc>
+<p>
+Allow system to run with NIS
+</p>
+</desc>
+</tunable>
+<tunable name="console_login" dftval="true">
+<desc>
+<p>
+Allow logging in and using the system from /dev/console.
+</p>
+</desc>
+</tunable>
+<tunable name="global_ssp" dftval="false">
+<desc>
+<p>
+Enable reading of urandom for all domains.
+</p>
+<p>
+This should be enabled when all programs
+are compiled with ProPolice/SSP
+stack smashing protection. All domains will
+be allowed to read from /dev/urandom.
+</p>
+</desc>
+</tunable>
+<tunable name="mail_read_content" dftval="false">
+<desc>
+<p>
+Allow email client to various content.
+nfs, samba, removable devices, and user temp
+files
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_rw" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/write via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_ro" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/only via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="use_nfs_home_dirs" dftval="false">
+<desc>
+<p>
+Support NFS home directories
+</p>
+</desc>
+</tunable>
+<tunable name="use_samba_home_dirs" dftval="false">
+<desc>
+<p>
+Support SAMBA home directories
+</p>
+</desc>
+</tunable>
+<tunable name="user_tcp_server" dftval="false">
+<desc>
+<p>
+Allow users to run TCP servers (bind to ports and accept connection from
+the same domain and outside users) disabling this forces FTP passive mode
+and may change other protocols.
+</p>
+</desc>
+</tunable>