Manualshelf

HP-UX Security Containment Extensions B.11.31.03 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
123456789
Defect number: QXCR1001039158
When ContainmentExt version B.11.31.02 (or ContainmentPlus version B.11.31.01) is
installed and the compartment feature is enabled, unexpected source address can be used
for communication within the system that has been configured with multiple LAN
interfaces, where the destination address is expected to be used as the source address.
This issue has been fixed in ContainmentExt version B.11.31.03 (or ContainmentPlus version
B.11.31.02). For local-to-local communications, if the local compartment owns the destination
address, the destination address is always used as the source address. The ownership of a
network address is typically specified by network interface rules. However, for the init
compartment, you must declare the ownership of a network address using the system
keyword. For this reason, you must mark the ifaces compartment as a system
compartment to get the desired behavior in the init compartment. See compartments(4)
manpage for more information.
Defect number: QXCR1001124696
NOTE: The ContainmentPlus product includes enhancements and fixes for other known issues.
See “Features” (page 5) for more information on the ContainmentPlus product.
1.5 Known issues and workaround
HP-UX Security Containment Extensions B.11.31.03 contains the following known problems:
The HP Auto Port Aggregation (APA) virtual LAN device (lan900) becomes unusable
after reboot if it is configured as LAN MONITOR mode on a compartment.
Workaround:
When APA is used in LAN MONITOR mode, the following rules must be met:
— The primary interface, lan0, must be assigned to the proper compartment.
— The secondary interface, lan1, is either not assigned to any compartment or is assigned
to the same compartment as lan0.
The aggregate interface, lan900, is either not assigned to any compartment or is assigned
to the same compartment as lan0. HP recommends that you leave lan900 unassigned
in case APA changes the naming scheme.
NOTE: In this example, lan0 and lan1 are aggregated into lan900.
For more information on APA, see apa(7).
A write to an NFS mounted file inside a compartment may not always succeed for some
compartment configurations.
Workaround:
Move the file into a directory and NFS mount the directory instead of the file.
1.5 Known issues and workaround 9