Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
121122123124125126127128129130
NOTE: When APA is used in LAN MONITOR mode, the following rules must be met:
The primary interface, lan0, must be assigned to the proper compartment.
The secondary interface, lan1, is either not assigned to any compartment or is
assigned to the same compartment as lan0.
The aggregate interface, lan900, is either not assigned to any compartment or is
assigned to the same compartment as lan0. HP recommends that you leave lan900
unassigned in case APA changes the naming scheme.
In this example, lan0 and lan1 are aggregated into lan900.
For more information on APA, see apa(7).
Privilege Limitation Rules A privilege limitation rule controls privilege inheritance. Any
privilege named in a privilege limitation rule cannot be obtained when calling
execve(2).
The syntax for privilege limitation rules is:
disallowed privileges privilege[,privilege[...]]
where:
disallowed privileges Specifies this as a privilege limitation rule.
privilege[,privilege[...]] A comma-separated list of privileges. You can use
the following additional keywords:
all: disallows all privileges
none: allows all privileges
!: denotes except
For example:
/* Disallow all privileges except mount. */
disallowed privileges all,!mount
/* Disallow mount only. */
disallowed privileges none,mount
If privilege limitation rules are not specified for a compartment, the default privilege
limitation is basicpolicy,mknod for every compartment except the INIT compartment.
The INIT compartment default privilege limitation is none.
When multiple disallowed privilege rules are defined, the rules will be aggregated. Refer
to priv_str_to_set(3) for information on how the privileges string will be aggregated to
the privilege set.
6.4.6 Example Rules File
An example rules file is located in /etc/cmpt/examples/sendmail.example.
6.4 Compartment Rules and Syntax 123