5 Compartments
This chapter describes the compartments feature of
•“Overview”
•“Planning the Compartment Structure”
•“Modifying Compartment Configuration”
•“Compartment Components”
•“Compartment Rules and Syntax”
•“Activating Compartments”
•“Troubleshooting Compartments”
•“Compartments in HP Serviceguard Clusters”
Overview
Compartments are a method of isolating components of a system from one another. When configured properly, they can be an effective method to safeguard your
The compartments feature of the
Conceptually, each process belongs to a compartment, and resources are handled in one of two ways. The resource can be labeled with the compartment of the creating process, for transient resources such as communication endpoints and shared memory. Alternately, resources can be associated with an access list that specifies how processes in different compartments can access them, for persistent resources such as files and directories. That is, processes can access resources or communicate with processes belonging to a different compartment only if a rule exists between those compartments. Processes that belong to the same compartment can communicate with each other and access resources in that compartment without a rule.
Compartments separate subjects from objects. This enables a virtual grouping of related subjects and objects. You can configure your system so that, if a service running in a compartment is compromised, it does not affect services running in other compartments. This restricts any damage to the affected compartment only.
Compartment Architecture
Compartments isolate a process and its child processes within a system. Figure
Overview 57