Administrator's Guide
In the following example, the ifaces compartment shares the ownership of lan0 and
lan1 with the init compartment. The init compartment will be in favor of using lan0
and lan1 for network communications, over using the network interfaces that are owned
by other compartments.
system compartment ifaces {
interface lan0
interface lan1
}
NOTE: The INIT compartment name is not case sensitive. INIT, init, and Init
are all treated as the same compartment by the system.
Compartment specifications are preprocessed with cpp() before parsing begins. This
is why you use cpp() directives such as #include, #define, #ifdef, and C-style
comments to organize and document rules files.
6.4.2 File System Rules
File system rules govern access by processes to files and directories on the system. File
system rules are inherited from a parent directory to all subdirectories and files within
the parent, unless an explicit rule overrides inheritance.
By default, if no permissions are specified, all permissions are granted for a file system
object.
When multiple file system rules are defined for the same pathname, the rules will be
aggregated. That is, the union of the permissions is taken.
The syntax for file system rules is as follows:
(permission|perm) permission_list file_object
where:
permission or perm Sets permissions for a file or directory.
permission_list The types of permission you can apply to a file or directory
are:
• none: Denies all permissions to a file or directory.
• read: Controls the read access to the object. If the
object is a file, reading and executing the file is
controlled. If the object is a directory, searching and
listing the directory is controlled. Additionally, due to
inheritance, reading of all files under the directory is
controlled. Files must have read access in order to be
opened for execution.
• nread: Controls search and read access to the
file_object. The rule has an effect only if
file_object is a directory. It allows processes in
116 Compartments