Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
81828384858687888990
B Configuration Example
This appendix includes a sample SRP compartment configuration.
Sample Base Configuration
The following listing shows the data for a compartment created using the base template and
the default services. The user configured the IP address 192.0.2.1 for the compartment address
and lan1 for the network interface, and accepted the default values for all other variables.
The compartment rules file (/etc/cmpt/myCmpt.rules) for this example, like all SRP
compartment rules files, includes a reference to the /opt/hpsrp/etc/cmpt/base.srp_incl
file. The contents of this include file are listed in “The base.srp_incl File” (page 90).
# /opt/hpsrp/bin/srp -list myCmpt -verbose
Compartment: myCmpt Template: base Service: cmpt
----------------------------------------------------------------------
Compartment Configuration (/etc/cmpt/myCmpt.rules):
@tag-start compartment="myCmpt" template="base" service="cmpt" id="1" ;
#include "/opt/hpsrp/etc/cmpt/base.srp_incl"
// lock out access to the other compartment's root directory
perm nsearch /var/hpsrp
// open access to compartment root
perm all /var/hpsrp/myCmpt
// to DNS
grant bidir udp peer port 53 init
Compartment: myCmpt Template: base Service: admin
----------------------------------------------------------------------
RBAC Admin Service Configuration:
Role(s):
SRPadmin-myCmpt
Authorization(s):
SRPadmin-myCmpt: (hpux.SRPadmin.myCmpt, myCmpt)
Command privilege(s):
/opt/hpsrp/bin/util/srp_rc:dflt:(hpux.SRPadmin.myCmpt,*):0/0//:myCmpt:dflt:dflt:
Compartment: myCmpt Template: base Service: login
----------------------------------------------------------------------
RBAC Login Service Configuration:
Role(s):
&adm:SRPlogin-myCmpt
Authorization(s):
SRPlogin-myCmpt: (hpux.security.compartment.login, myCmpt)
Compartment: myCmpt Template: base Service: init
----------------------------------------------------------------------
SRP init service:
//etc/rc.config.d/srpconf: SRP_NAME[1]="myCmpt"
Sample Base Configuration 89