Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
61626364656667686970
Protocol Specifies the networking protocol that applies to this rule. The options
are:
tcp: This rule applies to the TCP protocol.
udp: This rule applies to the UDP protocol.
raw: This rule applies to any other protocol in the INET domain.
<protonum>
The protocol number specified for this rule. The protonum option is
relevant only for raw specification.
port (Optional) Specifies that this rule applies to a specific port.
<port> Identifies the port specified in this rule.
peer (Optional) The port information applies to the peer endpoint involved
in the communication for this rule.
compartment_name The compartment name associated with the peer endpoint or interface
this rule applies to.
For more information about network rules, refer to compartments(4).
Miscellaneous Rules
These are rules that do not fit neatly into any other rules category.
Network Interface Rules A network interface rule specifies the compartment that an interface
belongs to. A network interface that is not in a compartment cannot be brought on line.
NOTE: For stricter security policies, configure network interfaces in separate compartments
from those assigned to processes. Define rules for network access for each compartment
accordingly. Equal compartments are always granted full access to one another.
The network interface rule syntax is as follows:
compartment <compartment_name> {
interface <interface_name[,interface_name][...]>
}
For example:
compartment iface0 {
/* Define the compartment for the network interface lan0 */
interface lan0
}
compartment other_ifaces {
/* Define the compartment for two of the other network interfaces */
interface lan1,lan5
interface
Specifies that this is an interface definition.
<interface_name[,interface_name][...]> A comma-separated list of interface names.
Privilege Limitation Rules A privilege limitation rule controls privilege inheritance. Any privilege
named in a privilege limitation rule cannot be obtained when calling execve(2).
The syntax for privilege limitation rules is:
disallowed privileges <privilege[,privilege[...]]>
Compartment Rules and Syntax 67