Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
61626364656667686970
3. Compare the output of step 1 to the output of step 2. If they are the same, all rules are loaded
into the kernel.
If the output of step 1 is different from the output of step 2, go on to step 4.
4. Execute the following command:
# setrules
The configured rules are loaded into the kernel.
Problem 2: A network interface on my compartment-enabled system is not accessible. Solution:
All network interfaces must be configured in a compartment. To check whether your network
interface is configured in a compartment, follow these steps:
1. Execute the following command:
# getrules
The getrules command displays the valid compartment rules in the kernel. Check the
output for rules configuring the network interface.
If there are rules configuring the network interface in a compartment, go on to step 2 to
check the rules syntax for errors.
If there are no rules for the network interface, go on to step 2.
2. Execute the following command:
# setrules -p
The setrules command with the -p option displays all rules configured on the system,
including rules that have not been loaded into the kernel.
If no rules are configured on the system, configure appropriate network interface rules.
Refer to “Network Rules” for network rules syntax.
The setrules -p command also checks for syntax errors. If there is a syntax error in your
network interface rules, modify your rules as described in “Modifying Compartment
Configuration”.
3. Compare the output of step 1 to the output of step 2. If they are the same, all rules are loaded
into the kernel.
If the output of step 2 displays rules for the network interface that were not present in the
output of step 1, go on to step 4.
4. Execute the following command:
# setrules
The configured rules are loaded into the kernel.
Problem 3: Access to a file is not functioning properly. Solution: If multiple hard links point to
this file, the compartment rules configuration may contain inconsistent rules for accessing the
file. To check for inconsistencies, follow these steps:
1. Execute the following command:
# vhardlinks
If the output shows an inconsistency, go on to step 2.
2. Modify the rules to remove the inconsistency. Follow the procedure described in “Modifying
Compartment Configuration”.
Problem 4: Network server rules do not appear in getrules output. Solution: Because of the
way rules are managed internally, network server rules for a given compartment can be listed
in the target compartment output of the getrules command.
For example:
/* telnet compartment rule to allow incoming telnet requests through compartment labeled ifacelan0 */
Troubleshooting Compartments 69