Administrator's Guide
the compartment not only to lookup in the directory
(see the nsearch parameter), but also to list contents
of the directory. Similar to the nsearch parameter,
this access control is not inherited. Therefore, even if
a directory is searchable and readable, any directory
or file underneath it is not searchable or readable
unless it is explicitly allowed.
The nread keyword is valid only if the HP-UX
ContainmentPlus product is installed on the system.
• write: Controls the write access to the object. If the
object is a file, writing to the file is controlled. If the
object is a directory, due to inheritance, writing for all
files under the directory is controlled.
• create: Controls the ability to create objects. This
applies to directory objects only. This is inherited by
all directories under the specified directory.
• unlink: Controls the ability to delete objects. This
applies to directory objects only. This is inherited by
all directories under the specified directory.
• nsearch: Controls the ability to search for an element
if the file_object is a directory. This attribute is
not inherited by subdirectories.
file_object The full path name of the file or directory.
For example:
/* deny all permissions except read to entire system */
perm read /
/* except for this directory */
perm read,write,create,unlink /var/opt/server
/* just read and write log files, not create them */
perm read,write /var/opt/server/logs
NOTE: To grant any permission on a file system object, the compartment must have a
minimum of read permission on every directory above that object. For example, to grant
read and write permissions on /var/opt/tmp/file1, you must grant read permissions
on /var/opt/tmp, /var/opt, /var, and /.
6.4.3 IPC Rules
Interprocess communication (IPC) rules govern how processes use interprocess
communication methods between compartments. IPC communication methods include
direct process-to-process communication or shared access to an IPC object. When an
6.4 Compartment Rules and Syntax 117