3.Compare the output of step 1 to the output of step 2. If they are the same, all rules are loaded into the kernel.

If the output of step 1 is different from the output of step 2, go on to step 4.

4.Execute the following command:

#setrules

The configured rules are loaded into the kernel.

Problem 2: A network interface on my compartment-enabled system is not accessible. Solution: All network interfaces must be configured in a compartment. To check whether your network interface is configured in a compartment, follow these steps:

1.Execute the following command:

# getrules

The getrules command displays the valid compartment rules in the kernel. Check the output for rules configuring the network interface.

If there are rules configuring the network interface in a compartment, go on to step 2 to check the rules syntax for errors.

If there are no rules for the network interface, go on to step 2.

2.Execute the following command:

# setrules -p

The setrules command with the -poption displays all rules configured on the system, including rules that have not been loaded into the kernel.

If no rules are configured on the system, configure appropriate network interface rules. Refer to “Network Rules” for network rules syntax.

The setrules -pcommand also checks for syntax errors. If there is a syntax error in your network interface rules, modify your rules as described in “Modifying Compartment Configuration”.

3.Compare the output of step 1 to the output of step 2. If they are the same, all rules are loaded into the kernel.

If the output of step 2 displays rules for the network interface that were not present in the output of step 1, go on to step 4.

4.Execute the following command:

#setrules

The configured rules are loaded into the kernel.

Problem 3: Access to a file is not functioning properly. Solution: If multiple hard links point to

this file, the compartment rules configuration may contain inconsistent rules for accessing the file. To check for inconsistencies, follow these steps:

1.Execute the following command:

#vhardlinks

If the output shows an inconsistency, go on to step 2.

2.Modify the rules to remove the inconsistency. Follow the procedure described in “Modifying Compartment Configuration”.

Problem 4: Network server rules do not appear in getrules output. Solution: Because of the way rules are managed internally, network server rules for a given compartment can be listed in the target compartment output of the getrules command.

For example:

/* telnet compartment rule to allow incoming telnet requests through compartment labeled ifacelan0 */

Troubleshooting Compartments 69

Page 69
Image 69
HP UX 11i Role-based Access Control (RBAC) Software manual Configured rules are loaded into the kernel, # vhardlinks