cmpt_allow_local.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

cmpt_allow_local(5) cmpt_allow_local(5)

(Tunable Kernel Parameters)

NAME

cmpt_allow_local - deﬁne the default rule for inter-compartment

local-to-local communications

VALUES

Failsafe

0 (deny)

Default

0 (deny)

Allowed values

0 (deny) or 1 (allow).

Recommended values

0 (deny) if the desire is to open up inter-compartment communications only between selective compart-

ments on selective ports.

1 (allow) if the desire is to open up all inter-compartment communications so that compartments are act-

ing like stand-alone virtual systems.

Remarks

cmpt_allow_local is a dynamic tunable. It only has effect if the compartments (5) feature has been

enabled on the system, and the HP-UX ContainmentPlus product (which is delivered as part of Contain-

mentExt bundle version B.11.31.02 or later) has been installed on the system.

DESCRIPTION

cmpt_allow_local deﬁnes the default rule for inter-compartment loopback communications that are

addressed to local network interfaces or IP addresses. The default rule only applies if there is no explicit

compartment network rule (see compartments (4)) matching the communication attempt.

If the value of

cmpt_allow_local

is set to 0, the default rule is to deny the communication. Explicit

compartment network rules can be used to open up inter-compartment network communications for selec-

tive compartments on selective ports. If the value of

cmpt_allow_local

is set to 1, the default rule is

to allow the communication. Explicit compartment network rules can be used to close up inter-

compartment network communications for selective compartments on selective ports. The default value

cmpt_allow_local

is set to 0.

Note that the default rule for the loopback communications that are addressed to loopback interfaces or

addresses (see ifconﬁg(1M) for the deﬁnition of loopback interfaces and addresses) is always "deny"; it is

NOT controlled by the

cmpt_allow_local

tunable.

Who Is Expected to Change This Tunable?

HP-UX Secure Resource Partition product, as part of the product setup, will let users to choose the

default rule for inter-compartment local-to-local communications and change the value of

cmpt_allow_local.

Adminstrator that manages compartments can also change the value of this tunable directly through the

kctune (1M) command.

Restrictions on Changing

The tunable

cmpt_allow_local is a dynamic tunable so any changes to this will take effect immedi-

ately.

When Should the Tunable Be Changed?

The tunable

cmpt_allow_local should be changed if the default security policy for inter-

compartment local-to-local communications are changing.

What Are the Side Effects of Changing the Tunable?

The explicit compartment network rules should be revisited as the same time of changing this tunable.

What Other Tunables Should Be Changed at the Same Time?

This tunable is independent of other tunables.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
cmpt_allow_local(5) cmpt_allow_local(5) (Tunable Kernel Parameters) NAME cmpt_allow_local - define the default rule for inter-compartment local-to-local communications VALUES Failsafe 0 (deny) Default 0 (deny) Allowed values 0 (deny) or 1 (allow). A Recommended values 0 (deny) if the desire is to open up inter-compartment communications only between selective compartments on selective ports.
PAGE 2
cmpt_allow_local(5) cmpt_allow_local(5) (Tunable Kernel Parameters) WARNINGS All HP-UX kernel tunable parameters are release-specific. This parameter may be removed or have its meaning changed in future releases of HP-UX. Installation of optional kernel software, from HP or other vendors, may cause changes to tunable parameter values. After installation, some tunable parameters may no longer be at the default or recommended values.