Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
31323334353637383940
The input data for these services and the data configured are described
in the sections that follow. If SRP uses input data for multiple services,
the srp utility prompts you for the data once and reuses the value.
The cmpt Service
The cmpt Service configures an HP-UX Security Containment compartment, which forms the
core of the SRP compartment. You must use the cmpt service when you create an SRP
compartment.
NOTE: You cannot create an SRP compartment without the cmpt service, nor can you delete
the cmpt service from a compartment. The cmpt service required for all SRP compartments.
Input Data
The cmpt service uses the compartment name specified in the srp command for the Security
Containment compartment name.
Configuration Data
The cmpt service creates a home directory for the compartment using the following format:
/var/hpsrp/compartment_name
The cmpt service creates a Security Containment compartment if one does not already exist with
the same name. The rules for this compartment are stored in the file
/etc/cmpt/compartment_name.rules. This file, like all rules files created using the SRP
base template, includes a reference to the /opt/hpsrp/etc/cmpt/base.srp_incl file.
When combined with the contents of the base.srp_incl file, the rule set properties includes
the following:
Access to the home directory for the compartment.
Read-only access to system binary files, including kernel files (/usr, /opt, /sbin, and
/stand).
Full access to other commonly used system directories and files. This enables you to access
the directories and files needed for most OS and networking operations. You might want
to modify the file access rules to remove or limit access according to your environment.
IPC access to the Security Containment INIT compartment. The INIT compartment is a
special compartment defined by the Security Containment product. By default, most operating
system processes (processes started by the init process) run in the INIT compartment.
Allowing IPC access to the INIT compartment enables the SRP compartment to communicate
with most local OS processes, including client network processes that communicate with
remote systems.
Network access for DNS request and reply packets through the network interfaces in the
Security Containment INIT compartment. This enables DNS client routines running in the
SRP compartment to send and receive packets to and from a DNS server on the local system.
“Sample Base Configuration” (page 89) shows an example compartment rules file created by
srp for a base compartment, and “The base.srp_incl File” (page 90)lists the contents of
the/opt/hpsrp/etc/cmpt/base.srp_incl file.
Compartment Home Directory and Subdirectories
The cmpt service creates a home directory for the compartment
(/var/hpsrp/compartment_name). The compartment home directory contains the following
36 Using the base Template