Default Compartment Configuration
When you enable the compartments feature, a default compartment named INIT is created. When you boot up the system, the init process belongs to this compartment. The INIT compartment is defined to have access to all other compartments. The INIT compartment is not defined in a compartment rules file.
IMPORTANT: If you redefine the INIT compartment by creating explicit rules in a rules file, all special characteristics of the compartment are lost and cannot be restored without rebooting the system.
Planning the Compartment Structure
Plan the compartment structure before you begin creating compartment rules. To plan the compartment structure, answer the following questions:
•Do you want to isolate different groups of users accessing this system? For example, is this system used by both the accounting department and the human resources department, and must these groups of users be kept separate?
•Do you want to isolate one network interface on this system, which communicates outside the firewall, from the rest of the system, which communicates only inside the firewall?
•Does your security policy include requirements or problems that can be solved by using compartments?
•Does your security policy specify or suggest a specific compartment rules configuration?
When you have answered these questions, use the answers to determine how to assign parts of your system to specific compartments.
Consider the following recommendations when planning your compartment configuration:
•Put all your compartment configuration files in the /etc/cmpt directory.
You can use the #include directive to create compartment configuration files anywhere on your system. However, HP recommends that you avoid using this option. Instead, keep the compartment configuration files together and easy to locate.
•Develop a separate compartment configuration for each component of your system.
Unless there is a defined, specific software dependency between two components, do not mix rules for different components: One component compartment does not contain rules referring to compartments for another component. If you must remove a component, you can modify the compartment configuration more easily if the compartment configurations are kept separate.
Planning the Compartment Structure 59