I am trying to work out how security for the automount of zFS file systems works. I wrote some rules but still get violations.

Document ID : KB000011388
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

I am trying to work out how security for the automount of zFS file systems works.  I wrote some rules but still get violations.

*ACF99913 ACF2 VIOLATION-08,05,ZFS,E1ARA0,OMVS.VE1AR10.SOS.ETDSI.ZFS,N/A 
 IEF196I ACF99913 ACF2 VIOLATION-08,05,ZFS,E1ARA0, 
 IEF196I OMVS.VE1AR10.SOS.ETDSI.ZFS,N/A 
 ACF95913 -AMS/CATALOG FUNCTION SUPPRESSED; AUTHORIZATION IS REQUIRED. 
 IEF196I ACF95913 -AMS/CATALOG FUNCTION SUPPRESSED; AUTHORIZATION IS 
 IEF196I REQUIRED. 
 IOEZ00336I OMVS.VE1AR10.SOS.ETDSI.ZFS could not be marked as a zFS 
 aggregate in the catalog, rc=56 rsn=36 
 BPXF013I FILE SYSTEM OMVS.VE1AR10.SOS.ETDSI.ZFS 826  WAS SUCCESSFULLY MOUNTED. 

 

Answer:

When a zfs is allocated and mounted, the only validation that occurs, for the zfs server, is during the IOEAGFMT format and registration step. Initially you may think that this is an exposure in security, but in fact it is not.  The validation of a user takes place when the user accesses the zFS.  This causes a validation against resource class FSACCESS. If the user does not have access to the FSACCESS resource  ( via $TYPE(FSA) resource rules), the ck_access callable service that checks a user's access to an OMVS files system will prevent access.  The IBM IOEZ00048I error indicates : "After successfully attaching, or formatting a zFS aggregate, a call to the MVS™ catalog service marks AggrName as a zFS aggregate. This operation failed. The return and reason codes are from the MVS catalog service. This failure itself does not prevent the aggregate from being attached or formatted correctly." 

This call will not take place for an HFS.  Normal dataset access validation controls HFS.