tsol_admin_high_to_cipso
|
The tsol_admin_high_to_cipso switch is not in the default /etc/system file, but it can be added if needed. The default setting in the kernel is 0. To enable communications
with TSIX-type hosts that have the IP Label Field specified as CIPSO, this switch must be set to 1. This causes the label on a packet to be mapped to a valid CIPSO label with the highest classification and all compartments turned on, instead of being dropped. See "CIPSO Labels in Packets" for
more information.
|
tsol_clean_windows
|
To support object reuse, the tsol_clean_windows switch is set to l by default, to clear inactive register windows on return from each system call. Setting the switch to 0 disables the cleaning of
inactive windows after each system call, allowing the possibility that a system call can return kernel information from an inactive register window.
|
tsol_flush_buffers
|
Between the time when blocks are linked to an inode and written to disk, a crash could leave old disk blocks (possibly of a higher label) linked to a file system after fsck(1M) recovers the file system. To ensure that data blocks are flushed before inodes are updated on disk, the tsol_flush_buffers switch is set to 1 by default.
There is a small performance penalty. Setting this switch to 0 disables the forced data flushing before inode updates.
|
tsol_hide_upgraded_names
|
Actions by users with the Upgrade File Label authorization and by processes with the file_mac_write and file_upgrade_sl
privileges can either create a new file or subdirectory or relabel an existing file or subdirectory at a label that dominates the label of the containing directory. Such files and subdirectories are said to be upgraded and the names of the upgraded files and subdirectories are referred to as upgraded names.
At sites that consider upgraded names to be sensitive information, the tsol_hide_upgraded_names switch enables the Security Administrator
role to hide upgraded names. Setting this flag prevents getdents(2) from returning upgraded file names. Because all directory entries are examined
before the results are returned, there is a performance penalty. Upgraded names display by default.
|
tsol_privs_debug
|
The tsol_privs_debug switch allows the administrative use of runpd(1M) to characterize a program`s use of privilege. See Chapter 13, Adding Software under "To Find Out Which Privileges a Program Needs" for the complete setup procedure. After the application(s) have been privileged debugged,
this variable should be reset and the machine rebooted. Privilege debugging is disabled by default.
|