File Access cannot be working in non-global zone on Solaris 11.3

Document ID : KB000008863
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When user installs into non-global zone on Solaris 11.3,

CA Privileged Identity Manager (a.k.a CA PIM) does not work correctly.

Such as following Problem:

- KBL on gnome-terminal does not work.

- File rule does not work.

 

When he check with trace log, file and program path shows full path on global zone.

 

> FORK    : P=XXXX  U=uid  G=gid   Child=XXXX  ACEEH=XX    F=XXX Pgm:/zone environment path/usr/bin/bash

> EXEC    : P=XXXX  U=uid  G=gid   (D=XXXXX  I=XXXX  ) Pgm:/zone environment path/usr/bin/touch Attached to: xx.xx.xx.xx

> EXECARGS: 'touch dummy.txt' 

> EXEC    > Result: 'P' [stage=XXX gstag=XXX ACEEH=XX   rv=0(/zone environment path/usr/bin/touch)]

 

'touch' should be resolved to '/usr/bin/touch'

Environment:
Prod: CA Privileged Identity Manager r12.8 SP1 for EndpointOS: Solaris 11.3 SPARC and x64please check detail version by following command:# pkg info entire Name: entire... State: Installed Publisher: solaris Version: 0.5.11 (Oracle Solaris 11.3.21.5.0) Build Release: 5.11 Branch: 0.175.3.21.0.5.0...
Cause:

This is caused by OS data structure is changed in latest release.

So, CA PIM cannot get correct information.

Resolution:

The problem  is fixed by following test fix.

 T47D098 - SPARC 
 T47D099 - x64

This fix should apply on global zone since kernel module in non-global zone is share from global zone .

Please contact CA Support to get this testfix.

 

Additional Information:

If you are in Japanese Environment, please change script as following to set output of command in English before loading kernel module of CA PIM.

 

/opt/CA/AccessControl/lbin/getvar.sh:

line 530:  PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin/

# Add following line

 

LANG=C