grant server tcp port 23 ifacelan0
If this rule is specified, it appears listed under the ifacelan0 compartment output of getrules.
ACCESS | PROTOCOL | SRCPORT | DESPORT | DESCMPT |
Grant client | tcp | 0 | 23 | telnet |
Compartments in HP Serviceguard Clusters
If you use compartments with HP Serviceguard, you must configure all Serviceguard daemons in the default INIT compartment. However, you can configure Serviceguard packages in other compartments. Refer to the latest editions of Managing Serviceguard and Using Serviceguard Extension for RAC for daemons required in Serviceguard and Serviceguard extensions for RAC cluster.
Serviceguard packages can belong to specific compartments. Applications monitored as part of a Serviceguard package can also be configured in specific compartments. When you set up the compartment for a package, be sure that the resources required by that package (such as volume groups, file systems, network addresses, and so on) are accessible by that compartment.
Compartment rules are
When a primary LAN interface fails over to a standby LAN interface, the compartment label of the primary interface is automatically copied over to the standby interface as long as the standby is not online. If the standby interface is already configured online, the standby interface and the primary interface must be configured in the same compartment to fail over successfully. If the standby interface is configured in a different compartment from the primary interface, but is offline at the time of the failover, the standby interface is updated to the primary interface compartment configuration when the interface fails over.
To maintain proper Serviceguard operations when deploying security containment features to HP Serviceguard nodes or packages:
•Do not modify the INIT compartment specifications in any way.
•Ensure inetd runs in the INIT compartment.
•Ensure that all Serviceguard daemons in a cluster run in the INIT compartment. For example, the daemons for Serviceguard Version A.11.16 include cmclconfd, cmcld, cmlogd, cmlvmd, cmomd, and cmsnmpd. Refer to Managing Serviceguard for a list of all Serviceguard daemons.
•Ensure that all Serviceguard cluster requirements are met for Serviceguard Extensions for RAC clusters. Additionally, clusters with Serviceguard Extension for RAC Version A.11.16 need the cmsmgd daemon to run in the INIT compartment. Oracle Real Application Cluster (RAC) processes must have access to the libnmapi2 library, and must communicate with cmsmgd. Refer to Using Serviceguard Extension for RAC for required daemons and libraries.
•Do not configure standby LAN interfaces in a compartment.
•Set up the compartments and rules identically on all nodes in the cluster. Compartments and rules are specific to a system and do not get carried over when a system fails over.
NOTE: If a standby interface is configured in a compartment, running the setrules command applies this compartment to the standby interface even if it has been successfully switched from a primary interface. If the configured standby interface compartment does not match the primary interface compartment, the primary interface compartment is overwritten when you run setrules. This can cause security violations.
There are no changes made to the Serviceguard scripts to facilitate the use of compartments,
70 Compartments
