Manualshelf

HP-UX Security Containment Extensions B.11.31.03 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
123456789
Defect number: QXCR1001073788
The setrules command sometimes reports the following warning incorrectly: File
system rule conflict(s) between parent and child objects.. The command
incorrectly returns an error status (1) when this warning is reported.
In HP-UX Security Containment Extensions B.11.31.02 and earlier, the setrules command
does not recognize parent and child file system objects correctly. Therefore, it reports file
system rule conflicts when there is no conflict. The command also should not return an error
status for a warning message.
The setrules command has been fixed to recognize parent and child file system objects
correctly when reporting file system rule conflicts. The command has also been fixed to not
return an error for a warning message.
Defect number: QXCR1001076090
The setfilexsec(1M) manpage states that if the -f option is not specified and that the
privilege start flag has never been set before, then the flag is set to start_nil. This
description does not match the behavior of the setfilexsec command.
HP-UX Security Containment Extensions B.11.31.02 and earlier have that manpage error.
The default value for -f option is start_full, not start_nil.
The setfilexsec(1M) manpage has been corrected to state that the -f option is start_full.
Defect number: QXCR1001039165
The compartment multibind feature is too relaxed for processes with the
PRIV_COMMALLOWED privilege.
In HP-UX Security Containment Extensions B.11.31.02 and earlier, a process with the
PRIV_COMMALLOWED privilege is allowed to bind to the same port that is in use by another
process. This causes problems in making connection or packet delivery decisions.
The sec_net_rules module has been updated to allow only one process with the
PRIV_COMMALLOWED privilege to bind to the same port unless the SO_REUSEPORT option
is set for the socket.
Defect number: QXCR1001022298
On a system that has the HP-UX compartments feature enabled and has the
ContainmentPlus product version B.11.31.01 installed, the system fails to deliver broadcast
or multicast packets to local recipients.
In HP-UX Security Containment Extensions B.11.31.02 and earlier, the destination address
check enabled by the ContainmentPlus product version B.11.31.01, has blocked the broadcast
or multicast packets from being delivered to local recipients.
The destination address check is now skipped for broadcast or multicast address. Installing
the ContainmentPlus product version B.11.31.02 and later will also install this patch fix.
Defect number: QXCR1001101463
When the compartment login feature is enabled, an authorized user login can fail with
the following error message: Compartment access check failed: User is not
authorized to login to the compartment associated with this network
service. Root login from the console is allowed. Connection closed
by foreign host.
In HP-UX Security Containment Extensions B.11.31.02 and earlier, an authorized user can
be prevented from login in the system when the compartment login feature is enabled, due
to a namespace collision issue with another library.
The product now ensures unique naming for routines in the librbac library.
8 HP-UX Security Containment Extensions