/* allow the children to access UNIX domain */ /* sockets created by the parent compartment */

grant uxsock server_children

Access

Specifies whether the rule is object-centric or subject-centric. The

 

options are:

 

grant: Specifies an object-centric rule. This rule allows processes

 

in the compartment compartment_name to access the specified

 

IPC mechanism in the current compartment.

 

access: Specifies a subject-centric rule. This rule allows processes

 

in the current compartment to access the specified IPC mechanism

 

in the compartment compartment_name.

Method

Specifies the method of communication this rule applies to. The options

 

are:

 

pty: Specifies that the rule applies to pty used in interprocess

 

communication.

 

fifo: Specifies that the rule applies to FIFOs.

 

uxsock: Specifies that the rule applies to UNIX domain sockets.

 

ipc: Specifies that the rule applies to SYSV and POSIX IPC objects,

 

such as shared memory, semaphores, and message queues.

compartment_name

The name of the other compartment where processes in this

 

compartment can communicate with.

The second type of IPC rule governs process access. The syntax for this type of rule is as follows:

(sendreceive) signal <compartment_name>

For example:

/* allow the parent to send signals to children */ send signal server_children

Direction

Specifies whether processes in the current compartment have access

 

to view and alter process behavior from another specified compartment.

 

The options are:

 

send: Specifies a subject-centric rule. Allows processes in the

 

current compartment to send signals view process data in the

 

compartment compartment_name.

 

receive: Specifies an object-centric rule. Allows processes in the

 

compartment compartment_name to send signals and view

 

process data in the current compartment.

signal

Specifies that this rule applies to signals and process visibility.

compartment_name

The name of the other compartment where processes in the current

 

compartment can have access to view process information or to be

 

viewed from.

Network Rules

Network rules govern access to network interfaces. Network rules also govern communication between processes that use INET domain communication (TCP/IP sockets and streams). The default behavior is to deny access to the network.

Network endpoints are treated as objects labeled with the compartment of the process that creates them. However, a network endpoint can be created by one process, then passed to another

Compartment Rules and Syntax 65

Page 64 Page 66
Page 65
Image 65
HP UX 11i Role-based Access Control (RBAC) Software manual Network Rules, IPC mechanism in the current compartment
Page 64 Page 66
Top Page Image Contents