For example, if a compartment is configured to disallow privileges, this specification prevents privrun from providing the privileges to the application in that compartment because privrun does not have the privileges itself. Note that by default, sealed compartments are configured to disallow the POLICY compound privilege.
—For privrun to invoke another application in a compartment, privrun must assert the CHANGECMPT privilege. If privrun cannot assert the CHANGECMPT privilege, for example, if the compartment is configured to disallow privileges, privrun will fail. This behavior is intentional and designed to reinforce the concept of a sealed compartment.
Configuring HP-UX RBAC
HP-UX RBAC B.11.23.04 provides you with two different methods to configure the access control roles, authorizations, and commands:
1.Using the command-line and associated management commands such as roleadm, authadm, and cmdprivadm
2.Using the Web-based System Management Homepage (SMH) and the newly-available HP-UX RBAC management tabs.
The command-line based method is described in further detail below and in the respective man pages for the commands. The SMH-based method is similar to using the command line, but made significantly easier by populating Web-based forms consistent with other features managed through SMH. Further assistance with the Web-based management is available through on-line help once SMH has been invoked. See HP System Management Homepage and HP System Management Homepage Installation Guide: HP-UX, Linux, and Windows Systems for more information on SMH and instructions on accessing the HP-UX RBAC on-line help.
For both methods, configuring HP-UX RBAC is a three-step process:
1.Configuring roles.
2.Configuring authorizations.
3.Configuring additional commands.
IMPORTANT: Authorizations are built-in (hard-coded) to the HP-UX RBAC administration commands and cannot be configured. However, you can configure which roles and users have the required HP-UX RBAC administration command authorizations.
HP-UX RBAC administration commands do not need to be wrapped with the privrun command because they are setuid=0. The HP-UX RBAC administration commands run with privileges equal to root regardless of who invokes them. Access control checks limit who can use the HP-UX RBAC administrative commands.
Refer to the Authorization section in each of the HP-UX RBAC administrative commands manpages for more information about their authorizations.
This “Configuring HP-UX RBAC” section uses the example planning results and users in Table 3-6 “Example Planning Results” to demonstrate the HP-UX RBAC administrative commands and configuration process.
