HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide
37
6.1.1 The cmpt Service
The cmpt Service configures an HP-UX Security Containment compartment, which forms the core of
the SRP compartment. You must use the cmpt service when you create an SRP compartment; you
cannot create an SRP compartment without the cmpt service.
6.1.1.1 Input Data
The cmpt service uses the compartment name specified in the srp command for the Security
Containment compartment name.
6.1.1.2 Configuration Data
The cmpt service creates a home directory for the compartment using the following format:
/var/hpsrp/compartment_name
The cmpt service creates a Security Containment compartment if one does not already exist with the
same name. The rules for this compartment are stored in the file
/etc/cmpt/compartment_name.rules. This file, like all rule files created using the SRP base
template, includes a reference to the /opt/hpsrp/etc/cmpt/base.srp_incl file.
When combined with the contents of the base.srp_incl file, the rule set properties includes the
following:
• Access to the home directory for the compartment.
• Read-only access to system binary files, including kernel files (/usr, /opt, /sbin, and
/stand).
• Full access to other commonly used system directories and files. This enables you to access
the directories and files needed for most OS and networking operations. You might want to
modify the file access rules to remove or limit access according to your environment.
• IPC access to the Security Containment INIT compartment. The INIT compartment is a
special compartment defined by the Security Containment product. By default, most operating
system processes (processes started by the init process) run in the INIT compartment.
Allowing IPC access to the INIT compartment enables the SRP compartment to communicate
with most local OS processes, including client network processes that communicate with
remote systems.
• Network access for DNS request and reply packets through the network interfaces in the
Security Containment INIT compartment. This enables DNS client routines running in the SRP
compartment to send and receive packets to and from a DNS server on the local system.
A.1 Sample Base Configuration shows an example compartment rules file created by srp for a base
compartment.
Compartment Home Directory
The cmpt service creates a home directory for the compartment
(/var/hpsrp/compartment_name) with the following subdirectories that are intended to be
compartment-specific versions of the system subdirectories below the root directory:
• etc
• home
• net
• opt
• sbin
• tmp