Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
61626364656667686970
For example:
/* Disallow all privileges except mount. */
disallowed privileges all,!mount
/* Disallow mount only. */
disallowed privileges none,mount
disallowed privileges
Specifies this as a privilege limitation rule.
<privilege[,privilege[...]]> A comma-separated list of privileges. You can use the
following additional keywords:
all: disallows all privileges
none: allows all privileges
!: denotes except
If privilege limitation rules are not specified for a compartment, the default privilege limitation
is basicpolicy,mknod for every compartment except the INIT compartment. The INIT
compartment default privilege limitation is none.
Example Rules File
An example rules file is shipped with HP-UX 11i Security Containment, located in
/etc/cmpt/examples/sendmail.example.
Configuring Applications in Compartments
You can configure an application to run in a particular compartment. Use the setfilexsec command
to configure the compartment attribute of a binary file. For example, to configure the application
apple into the compartment fruit, enter the following command:
# setfilexsec -c fruit apple
Alternately, you can use HP-UX RBAC to configure an application to run in a compartment.
Refer to “Configuring HP-UX RBAC with Compartments”.
Troubleshooting Compartments
If something is not working on your system and you suspect the problem is occurring because
of your compartment structure, you can check your compartment rules as follows.
Problem 1: Access is not being controlled according to the compartment rules I
configured. Solution: Your rules may not be set in the kernel. To check whether your rules
are set in the kernel, follow these steps:
1. Execute the following command:
# getrules
The getrules command displays the valid compartment rules in the kernel.
2. Execute the following command:
# setrules -p
The setrules command with the -p option displays all rules configured on the system,
including rules that have not been loaded into the kernel.
68 Compartments