setrules.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

setrules(1M) setrules(1M)

NAME

setrules - set compartment rules

SYNOPSIS

setrules [-p]

DESCRIPTION

setrules takes the current rules ﬁles on the system and puts them into effect. Prior to using this com-

mand, changes in the rules ﬁles have no effect on the system. This command can only be used when com-

partmentalization is enabled (see cmpt_tune (1M)).

Options

setrules recognizes the following option:

-p Preview the rules. This option parses the rules ﬁles, checking for syntax and semantic errors,

but setrules makes no changes to the system.

Security Restrictions

The user invoking this command must have one of the following authorizations:

hpux.security.xsec.secrules.unrestricted

hpux.security.xsec.secrules.restricted

A user with hpux.security.xsec.secrules.unrestricted

authorization can invoke this com-

mand from any compartment, while a user with

hpux.security.xsec.secrules.restricted

authorization can invoke this command from only those compartments that have read and write access to

the

/etc/cmpt directory heirarchy.

See authadm (1M)).

Notes

If a compartment is tagged for automatic discovery of rules using the keyword discover,subsequent

runs of setrules command does NOT clear the rules that are already discovered. This means the rules

applied are inconsistent with the rules currently in the /etc/cmpt directory. To make them consistent,

ﬁrst run "getrules -m compartment_name

>ﬁle.rules", and then run setrules;where,

compartment_name is the name of the compartment which is under for discovery mode and ﬁle.rules is

the rules ﬁle containing the rules for this compartment.

RETURN VALUE

setrules returns the following values:

0 Successful completion. The rules are displayed.

>0 An error occurred. An error can be caused by the following:

• An invalid option.

• The user does not having permissions to perform the operation.

• A syntax or semantic error in a rule ﬁle.

• Other system errors (for example, insufﬁcient system resources).

EXAMPLES

Example 1: Execute

setrules to push the conﬁgured rules:

# setrules

Example 2: Execute setrules to push syntactically incorrectly conﬁgured rules:

# setrules

Sample Output:

Error: "/etc/cmpt/11.cmpt.1.rules", line 10 # Unexpected token ’web’ \

or rule terminated prematurely setrules: Exiting due to parse errors

Example 3: Execute setrules to ﬁnd any syntactically or semantically incorrectly conﬁgured rules:

# setrules -p

Sample Output:

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
setrules(1M) setrules(1M) NAME setrules - set compartment rules SYNOPSIS setrules [-p] DESCRIPTION setrules takes the current rules files on the system and puts them into effect. Prior to using this command, changes in the rules files have no effect on the system. This command can only be used when compartmentalization is enabled (see cmpt_tune (1M)). Options setrules recognizes the following option: -p Preview the rules.
PAGE 2
setrules(1M) setrules(1M) Error: "/etc/cmpt/iface.rules", line 10 # Undefined compartment "ooutside". Error: "/etc/cmpt/iface.rules", line 14 # Undefined compartment "cgi". SEE ALSO authadm(1M), cmpt_tune(1M), getrules(1M), compartments(4), compartments(5).