setrules(1M)setrules(1M)NAME
setrules - set compartment rules
SYNOPSIS DESCRIPTION
takes the current rules files on the system and puts them into effect. Prior to using this command, changes in the rules files have no
effect on the system. This command can only be used when compartmentalization is enabled (see cmpt_tune(1M)).
Options
recognizes the following option:
Preview the rules.
This option parses the rules files, checking for syntax and semantic errors, but makes no changes to the system.
Security Restrictions
The user invoking this command must have one of the following authorizations:
A user with authorization can invoke this command from any compartment, while a user with authorization can invoke this command from only
those compartments that have read and write access to the directory heirarchy.
See authadm(1M)).
Notes
If a compartment is tagged for automatic discovery of rules using the keyword subsequent runs of command does NOT clear the rules that are
already discovered. This means the rules applied are inconsistent with the rules currently in the directory. To make them consistent,
first run "", and then run where, compartment_name is the name of the compartment which is under for discovery mode and file.rules is the
rules file containing the rules for this compartment.
RETURN VALUE
returns the following values:
Successful completion.
The rules are displayed.
An error occurred.
An error can be caused by the following:
o An invalid option.
o The user does not having permissions to perform the operation.
o A syntax or semantic error in a rule file.
o Other system errors (for example, insufficient system resources).
EXAMPLES
Example 1: Execute to push the configured rules:
Example 2: Execute to push syntactically incorrectly configured rules:
Sample Output:
Error: "/etc/cmpt/11.cmpt.1.rules", line 10 # Unexpected token 'web'
or rule terminated prematurely setrules: Exiting due to parse errors
Example 3: Execute setrules to find any syntactically or semantically incorrectly configured rules:
Sample Output:
Error: "/etc/cmpt/iface.rules", line 10 # Undefined compartment "ooutside".
Error: "/etc/cmpt/iface.rules", line 14 # Undefined compartment "cgi".
SEE ALSO authadm(1M), cmpt_tune(1M), getrules(1M), compartments(4), compartments(5).
setrules(1M)
Check Out this Related Man Page
cmpt_tune(1M)cmpt_tune(1M)NAME
cmpt_tune - query, enable, or disable compartmentalization feature
SYNOPSIS
boot_image]
boot_image]
DESCRIPTION
queries, enables, or disables the compartmentalization feature. Compartmentalization is not a dynamic feature; enabling or disabling the
feature requires a reboot. If you make a change and do not specify the flag, reports a reboot reminder message. If no options are speci-
fied, the option is assumed.
If no compartments have been defined when compartmentalization is enabled, the network interfaces currently installed on the system are
assigned to a new compartment and the administrator is given the opportunity to reassign these interfaces (see getrules(1M)).
The system initially boots into a predefined compartment, A process in the compartment can access all objects (that is, all processes,
files, IPC objects, etc., are accessible from the compartment). See compartments(5) for more information. Using the command (see set-
filexsec(1M)), an administrator can set specific binaries to start automatically in other compartments; that is, when a process executes
the binary, it may find its compartment modified as a side-effect. This concept is similar to a setuid binary changing a process's euid.
When the or option is specified without the option, the current running configuration is modified. If or is specified with the option and
boot_image does not exist, it is created as though the administrator ran the following command:
In any case, boot_image is marked for use on the next boot.
Options
The command recognizes the following options:
Disables compartments.
Enables compartments.
Prints a help message.
Makes changes to or queries the specified
boot_image. If this option is not specified, defaults to If no other options are specified, the option is assumed.
Queries the current state of compartments.
Queries the state of compartments after the next reboot.
Reboots after making changes.
You can only use this option with the or options.
Sets silent mode.
Only the exit status is set.
RETURN VALUE
returns the following values:
When querying, the compartmentalization feature is enabled.
When making changes, the changes are successfully applied.
An option processing error occurred.
When querying, the compartmentalization feature is disabled. When making changes, and is specified, the reboot option is
ignored (for example, to allow for editing of compartment configuration files).
When querying, the kernel configuration specified does not exist
or has no support for compartmentalization.
WARNINGS
A network interface that is not assigned to any compartment cannot be accessed by any process and effectively cannot be used. Assign at
least one network interface to a compartment so that network communications can function.
If the or option is used in conjunction with the option, any prior changes pending to the current configuration are lost.
If the compartments feature is enabled on a kernel configuration that does not reflect the required patch levels (for example, patch
PHKL_32798 is missing), the system may not boot properly or may not have network connectivity.
SEE ALSO authadm(1M), kconfig(1M), getrules(1M), setfilexsec(1M), setrules(1M), compartments(4), compartments(5).
cmpt_tune(1M)