Current File : //proc/self/root/kunden/proc/thread-self/root/usr/share/selinux/devel/include/global_tunables.xml

<tunable name="deny_ptrace" dftval="false">
<desc>
<p>
Deny any process from ptracing or debugging any other processes.
</p>
</desc>
</tunable>
<tunable name="selinuxuser_execheap" dftval="false">
<desc>
<p>
Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
</p>
</desc>
</tunable>
<tunable name="deny_execmem" dftval="false">
<desc>
<p>
Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
</p>
</desc>
</tunable>
<tunable name="selinuxuser_execmod" dftval="false">
<desc>
<p>
Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
</p>
</desc>
</tunable>
<tunable name="selinuxuser_execstack" dftval="false">
<desc>
<p>
Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
</p>
</desc>
</tunable>
<tunable name="polyinstantiation_enabled" dftval="false">
<desc>
<p>
Enable polyinstantiated directory support.
</p>
</desc>
</tunable>
<tunable name="nis_enabled" dftval="false">
<desc>
<p>
Allow system to run with NIS
</p>
</desc>
</tunable>
<tunable name="login_console_enabled" dftval="true">
<desc>
<p>
Allow logging in and using the system from /dev/console.
</p>
</desc>
</tunable>
<tunable name="global_ssp" dftval="false">
<desc>
<p>
Enable reading of urandom for all domains.
</p>
<p>
This should be enabled when all programs
are compiled with ProPolice/SSP
stack smashing protection.  All domains will
be allowed to read from /dev/urandom.
</p>
</desc>
</tunable>
<tunable name="nfs_export_all_rw" dftval="false">
<desc>
<p>
Allow any files/directories to be exported read/write via NFS.
</p>
</desc>
</tunable>
<tunable name="nfs_export_all_ro" dftval="false">
<desc>
<p>
Allow any files/directories to be exported read/only via NFS.
</p>
</desc>
</tunable>
<tunable name="use_nfs_home_dirs" dftval="false">
<desc>
<p>
Support NFS home directories
</p>
</desc>
</tunable>
<tunable name="use_samba_home_dirs" dftval="false">
<desc>
<p>
Support SAMBA home directories
</p>
</desc>
</tunable>
<tunable name="use_ecryptfs_home_dirs" dftval="false">
<desc>
<p>
Support ecryptfs home directories
</p>
</desc>
</tunable>
<tunable name="use_fusefs_home_dirs" dftval="false">
<desc>
<p>
Support fusefs home directories
</p>
</desc>
</tunable>
<tunable name="selinuxuser_tcp_server" dftval="false">
<desc>
<p>
Allow users to run TCP servers (bind to ports and accept connection from
the same domain and outside users)  disabling this forces FTP passive mode
and may change other protocols.
</p>
</desc>
</tunable>
<tunable name="selinuxuser_udp_server" dftval="false">
<desc>
<p>
Allow users to run UDP servers (bind to ports and accept connection from
the same domain and outside users)  disabling this may break avahi
discovering services on the network and other udp related services.
</p>
</desc>
</tunable>
<tunable name="mount_anyfile" dftval="false">
<desc>
<p>
Allow the mount commands to mount any directory or file.
</p>
</desc>
</tunable>
<tunable name="use_virtualbox" dftval="false">
<desc>
<p>
Allow create vbox modules during startup new kernel.
</p>
</desc>
</tunable>
<tunable name="deny_bluetooth" dftval="false">
<desc>
<p>
Deny all system processes and Linux users to use bluetooth wireless technology.
</p>
</desc>
</tunable>