PERFORCE change 77256 for review

Christian S.J. Peron csjp at
Sat May 21 18:28:27 GMT 2005

Change 77256 by csjp at csjp_xor on 2005/05/21 18:27:43

	Add some documentation for some addition sysctl variables

Affected files ...

.. //depot/projects/trustedbsd/mac/share/man/man4/mac_chkexec.4#2 edit

Differences ...

==== //depot/projects/trustedbsd/mac/share/man/man4/mac_chkexec.4#2 (text+ko) ====

@@ -83,8 +83,14 @@
 The following sysctls may be used to tweak the behavior of
 .Nm :
 .Bl -tag -width indent
+.It Va security.mac.chkexec.enable
+Set to zero or one to toggle the policy off or on.
 .It Va security.mac.chkexec.enforce
-Set to zero or one to toggle the policy off or on.
+Toggle the enforcement of the security policy. While the policy is loaded but
+not enforced, the system is in learning mode. This means that each time an
+objected is executed, the system calculates and stores the checksums for the
+object. This allows system administrators to create their "baseline database"
+of trusted binaries simply by letting the system run in regular operation.
 .It Va security.mac.chkexec.cache.objmax
 Adjust the cache size.
 This should be increased as more system objects
@@ -92,8 +98,18 @@
 Note that this value should be similar to
 .Dq 1024
 during the
 buildworld process.
+.It Va security.mac.chkexec.algo
+Specify which hashing algorithm to use. Currently md5 and sha1 are
+supported. By default sha1 is used.
+.It Va security.mac.chkexec.cache.enable
+Enable or disable the use of the object cache. Disabling the cache results
+in system execution and run-time linking performance being degraded.
+.It Va security.mac.chkexec.ignore_untagged
+Specify whether or not un-registered binaries should be exempt. This allows users
+to execute newly created binaries. It is highly recommended that this option
+NOT be enabled.
 .Xr mac 4 ,
To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list