HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

121

122

123

124

125

126

127

128

129

130

127

Appendix C: Template services – detailed description

C.1 The cmpt service

The cmpt Service configures an HP-UX Security Containment compartment, which forms the core of

each container. You must use the cmpt service when you create a container.

C.1.1 Configuration location

The cmpt service creates a home directory for the container using the following format:

/var/hpsrp/container_name

The cmpt service creates a home directory for the container (/var/hpsrp/container_name ) and

then creates a Security Containment compartment rules file

(/etc/cmpt/container_name.rules). This file will contain #include references to files with

additional rules for the container including the common rules files shared by all containers of the same

type (for example, the /opt/hpsrp/etc/cmpt/sysbase.srp_incl file).

Compartment rules control:

• Access to absolute file system paths

• Ownership of IP network interfaces

• Disallowed kernel level privileges

• Loopback Network access to other containers

• IPC access to specified containers (shared namsepace only)

• Disallowed kernel privileges

See HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 for details on

configuring Security Containment compartments.

C.2 The admin service

The admin service associates HP-UX users with an RBAC role that has authorization to administer the

container from the global view. By default, this authorization enables the administrator to start, stop,

and report status of the container.

C.2.1 Configuration location

The admin service uses RBAC commands to add information about the administrator. By default

RBAC stores this information in the RBAC /etc/rbac configuration directory.

The admin service performs the following tasks:

• Creates a role with the name SRPadmin-container_name for the container. The RBAC

roleadm add command is used to perform this task.

• Creates an authorization with the name hpux.SRPadmin-container_name with the

object set to the container. The RBAC authadm add command is used to perform this task.

• Assigns the authorization hpux.SRPadmin.container_name to the role SRPadmin-

container_name. The RBAC authadm assign command is used to perform this task.

• Associates the specified user name to the role SRPadmin-container_name. The user

name must already exist. The RBAC roleadm assign command to perform this task.