cmpt_allow_local.5 (2011 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

cmpt_allow_local(5) cmpt_allow_local(5)

(Tunable Kernel Parameters)

NAME

cmpt_allow_local - deﬁne the default rule for inter-compartment local-to-local communications

VALUES

Failsafe

0 (deny)

Default

0 (deny)

Allowed values

0 (deny) or 1 (allow).

Recommended values

0 (deny) to open up inter-compartment communications only between selective compartments on selective

ports.

1 (allow) to open up all inter-compartment communications so that compartments are acting like stand-

alone virtual systems.

Remarks

The

cmpt_allow_local

parameter is a dynamic tunable. It only takes effect if the compartments (5)

feature has been enabled on the system, and the HP-UX ContainmentPlus product has been installed on

the system.

DESCRIPTION

The

cmpt_allow_local

parameter deﬁnes the default rule for inter-compartment loopback communi-

cations that are addressed to local network interfaces or IP addresses. The default rule only applies if

there is no explicit compartment network rule (see compartments (4)) matching the communication

attempt.

If the value of

cmpt_allow_local

is set to 0, the default rule is to deny the communication. Explicit

compartment network rules can be used to open up inter-compartment network communications for selec-

tive compartments on selective ports. If the value of

cmpt_allow_local

is set to 1, the default rule is

to allow the communication. Explicit compartment network rules can be used to close up inter-

compartment network communications for selective compartments on selective ports. The default value

cmpt_allow_local

is set to 0.

Note that the default rule for the loopback communications that are addressed to loopback interfaces or

addresses (see ifconﬁg(1M) for the deﬁnition of loopback interfaces and addresses) is always "deny"; it is

NOT controlled by the

cmpt_allow_local

tunable.

Who Is Expected to Change This Tunable?

The HP-UX Secure Resource Partition product (SRP) may change the value of

cmpt_allow_local.

An adminstrator that manages compartments can also change the value of this tunable directly through

the kctune (1M) command.

Restrictions on Changing

The tunable

cmpt_allow_local is a dynamic tunable so any changes to this will take effect immedi-

ately.

When Should the Tunable Be Changed?

The tunable

cmpt_allow_local should be changed if the default security policy for inter-

compartment local-to-local communications are changing.

What Are the Side Effects of Changing the Tunable?

The explicit compartment network rules should be revisited as the same time of changing this tunable.

What Other Tunables Should Be Changed at the Same Time?

This tunable is independent of other tunables.

WARNINGS

All HP-UX kernel tunable parameters are release-speciﬁc. This parameter may be removed or have its

meaning changed in future releases of HP-UX.

HP-UX 11i Version 3: September 2011 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
cmpt_allow_local(5) cmpt_allow_local(5) (Tunable Kernel Parameters) NAME cmpt_allow_local - define the default rule for inter-compartment local-to-local communications VALUES Failsafe 0 (deny) Default 0 (deny) Allowed values 0 (deny) or 1 (allow). Recommended values 0 (deny) to open up inter-compartment communications only between selective compartments on selective ports. 1 (allow) to open up all inter-compartment communications so that compartments are acting like standalone virtual systems.
PAGE 2
cmpt_allow_local(5) cmpt_allow_local(5) (Tunable Kernel Parameters) Installation of optional kernel software, from HP or other vendors, may cause changes to tunable parameter values. After installation, some tunable parameters may no longer be at the default or recommended values. For information about the effects of installation on tunable values, consult the documentation for the kernel software being installed.