search cancel

File Access cannot be working in non-global zone on Solaris 11.3

book

Article ID: 8863

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

When user installs into non-global zone on Solaris 11.3,

CA Privileged Identity Manager (a.k.a CA PIM) does not work correctly.

Such as following Problem:

- KBL on gnome-terminal does not work.

- File rule does not work.

 

When he check with trace log, file and program path shows full path on global zone.

 

> FORK    : P=XXXX  U=uid  G=gid   Child=XXXX  ACEEH=XX    F=XXX Pgm:/zone environment path/usr/bin/bash

> EXEC    : P=XXXX  U=uid  G=gid   (D=XXXXX  I=XXXX  ) Pgm:/zone environment path/usr/bin/touch Attached to: xx.xx.xx.xx

> EXECARGS: 'touch dummy.txt' 

> EXEC    > Result: 'P' [stage=XXX gstag=XXX ACEEH=XX   rv=0(/zone environment path/usr/bin/touch)]

 

'touch' should be resolved to '/usr/bin/touch'

Environment

Prod: CA Privileged Identity Manager r12.8 SP1 for EndpointOS: Solaris 11.3 SPARC and x64please check detail version by following command:# pkg info entire Name: entire... State: Installed Publisher: solaris Version: 0.5.11 (Oracle Solaris 11.3.21.5.0) Build Release: 5.11 Branch: 0.175.3.21.0.5.0...

Cause

This is caused by OS data structure is changed in latest release.

So, CA PIM cannot get correct information.

Resolution

The problem  is fixed by following test fix.

 T47D098 - SPARC 
 T47D099 - x64

This fix should apply on global zone since kernel module in non-global zone is share from global zone .

Please contact CA Support to get this testfix.

 

Additional Information

If you are in Japanese Environment, please change script as following to set output of command in English before loading kernel module of CA PIM.

 

/opt/CA/AccessControl/lbin/getvar.sh:

line 530:  PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin/

# Add following line

 

LANG=C

 

Powered by Wolken Software