aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books
diff options
context:
space:
mode:
authorChin-San Huang <chinsan@FreeBSD.org>2007-06-27 11:49:40 +0000
committerChin-San Huang <chinsan@FreeBSD.org>2007-06-27 11:49:40 +0000
commitbabae0ae2d48995241b88b9274eea99667941ec2 (patch)
treeb65d75613a857589ff3ef75f08ae80ec4f522d54 /en_US.ISO8859-1/books
parent881826dc3fefa14526b5b7ebe284f39d0a138b7f (diff)
downloaddoc-babae0ae2d48995241b88b9274eea99667941ec2.tar.gz
doc-babae0ae2d48995241b88b9274eea99667941ec2.zip
Remove the deprecated description about MAC.
Noticed by: kevlo, vanilla (via irc)
Notes
Notes: svn path=/head/; revision=30348
Diffstat (limited to 'en_US.ISO8859-1/books')
-rw-r--r--en_US.ISO8859-1/books/handbook/mac/chapter.sgml86
1 files changed, 0 insertions, 86 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
index 0b93f16ad6..4f6fa68844 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
@@ -764,92 +764,6 @@ test: biba/high</screen>
<xref linkend="mac-troubleshoot"> of this chapter.</para>
</note>
</sect2>
-
- <sect2>
- <title>Controlling MAC with Tunables</title>
-
- <para>Without any modules loaded, there are still some parts
- of <acronym>MAC</acronym> which may be configured using
- the <command>sysctl</command> interface. These tunables
- are described below and in all cases the number one (1)
- means enabled while the number zero (0) means
- disabled:</para>
-
- <itemizedlist>
- <listitem>
- <para><literal>security.mac.enforce_fs</literal> defaults to
- one (1) and enforces <acronym>MAC</acronym> file system
- policies on the file systems.</para>
- </listitem>
-
- <listitem>
- <para><literal>security.mac.enforce_kld</literal> defaults to
- one (1) and enforces <acronym>MAC</acronym> kernel linking
- policies on the dynamic kernel linker (see
- &man.kld.4;).</para>
- </listitem>
-
- <listitem>
- <para><literal>security.mac.enforce_network</literal> defaults
- to one (1) and enforces <acronym>MAC</acronym> network
- policies.</para>
- </listitem>
-
- <listitem>
- <para><literal>security.mac.enforce_pipe</literal> defaults
- to one (1) and enforces <acronym>MAC</acronym> policies
- on pipes.</para>
- </listitem>
-
- <listitem>
- <para><literal>security.mac.enforce_process</literal> defaults
- to one (1) and enforces <acronym>MAC</acronym> policies
- on processes which utilize inter-process
- communication.</para>
- </listitem>
-
- <listitem>
- <para><literal>security.mac.enforce_socket</literal> defaults
- to one (1) and enforces <acronym>MAC</acronym> policies
- on sockets (see the &man.socket.2; manual page).</para>
- </listitem>
-
- <listitem>
- <para><literal>security.mac.enforce_system</literal> defaults
- to one (1) and enforces <acronym>MAC</acronym> policies
- on system activities such as accounting and
- rebooting.</para>
- </listitem>
-
- <listitem>
- <para><literal>security.mac.enforce_vm</literal> defaults
- to one (1) and enforces <acronym>MAC</acronym> policies
- on the virtual memory system.</para>
- </listitem>
- </itemizedlist>
-
- <note>
- <para>Every policy or <acronym>MAC</acronym> option supports
- tunables. These usually hang off of the
- <literal>security.mac.&lt;policyname&gt;</literal> tree.
- To view all of the tunables from <acronym>MAC</acronym>
- use the following command:</para>
-
- <screen>&prompt.root; <userinput>sysctl -da | grep mac</userinput></screen>
- </note>
-
- <para>This should be interpreted as all of the basic
- <acronym>MAC</acronym> policies are enforced by default.
- If the modules were built into the kernel the system
- would be extremely locked down and most likely unable to
- communicate with the local network or connect to the Internet,
- etc. This is why building the modules into the kernel is not
- completely recommended. Not because it limits the ability to
- disable features on the fly with <command>sysctl</command>,
- but it permits the administrator to instantly switch the
- policies of a system without the requirement of rebuilding
- and reinstalling a new system.</para>
- </sect2>
</sect1>
<sect1 id="mac-planning">