HP-UX Containers (SRP) A.03.01 Release Notes

operating system and share hardware resources for efficient use. To protect one system container from

affecting other containers or the system as a whole, certain restrictions are in place. These restrictions

may lead to behavioral differences in a system container when compared to an individual physical

system.

1.11.1 Disallowed operations in system containers

All users in a system container (including root) are prevented from performing the following list of

administrative tasks. These administrative tasks must be performed in the global view:

• Kernel configuration management

• Kernel tunable management

• System boot configuration

• Reading kernel memory

• Make kernel

• System crash configuration

• Kernel Registry Services

• DLKM management

• Creating device files

• Changing system time

• Shutdown/reboot the physical system

• Swap space management

• Logical volume management

• Physical devices management

• Network interface card configuration

• IP Address configuration

• Network tunable configuration

• Compartment rule configuration

• Bypassing compartment rules using overriding privileges

• Enable/disable auditing

• Enable/disable accounting

• IPFilter configuration

• IPSec configuration

• SRP configuration

• SD software installation (swinstall/swremove/swconfig)

1.11.2 Disallowed privileges in system containers

A set of privileges is disallowed in each system container to prevent users from performing

administrative tasks that might have an impact on system wide resources or operations. Commands

and system calls performing the administrative tasks that are disallowed in a system container will

return an error. The following privileges (see privileges(5)) are disallowed within a system

container:

ACCOUNTING

Allows a process to control the process accounting system. Example: acct(1M), acctsh(1M)

AUDCONTROL

Allows a process to start, modify, and stop the auditing system. Example: audsys(1M)