HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

subdirectories that are intended to be compartment-specific versions of the system subdirectories

below the root directory:

• etc

• home

• net

• opt

• sbin

• tmp

• usr

• var

Compartment users and services can use these directories to store compartment-specific versions

of system files. For example, the init service uses the /var/hpsrp/compartment_name/sbin

directory to create init.d, rc0.d, rc1.d, rc2.d, rc3.d, and rc4.d subdirectories and creates

initialization scripts in these directories, as described in “SRP Startup and Shutdown Processing”

(page 65).

The admin Service

The admin service uses the HP-UX Security Containment RBAC and compartment login features

to associate an HP-UX user with an RBAC role that has authorization to administer the

compartment. By default, this authorization enables the administrator to start and stop the

compartment.

Input Data

SRP prompts for the following data. You can also specify a variable name and value in the

command line, as described in “Creating an SRP Compartment or Adding Data to a Compartment”

(page 67).

Unix username for

compartment administrator

HP-UX user name for the compartment administrator. This

user name must already exist in the HP-UX user database.

Variable Name: admin_user.

Default: root

Configuration Data

The admin service uses RBAC to add information about the administrator in the RBAC

configuration directory, /etc/rbac.

The admin service performs the following tasks:

• Creates a role with the name SRPadmin-compartment_name for the compartment. SRP

uses the roleadm add command to perform this task.

• Creates an authorization with the name hpux.SRPadmin-compartment_name with the

object set to the compartment. SRP uses the authadm add command to perform this task.

• Assigns the authorization hpux.SRPadmin.compartment_name to the role

SRPadmin-compartment_name. SRP uses the authadm assign command to perform

this task.

• Associates the specified HP-UX user name to the role SRPadmin-compartment_name.

The user name must already exist in the HP-UX user database. SRP uses the roleadm

assign command to perform this task.

• Assigns hpux.SRPadmin-compartment_name the authorization to execute the SRP master

startup script /opt/hpsrp/bin/srp_rc in the compartment. This enables the administrator

to start up and shut down the compartment. SRP uses the cmdprivadm add command to

perform this task.

Creating a Base SRP Compartment 37