APAR status
Closed as canceled.
Error description
Please review APAR OW44655 which introduced enhanced program control support. The support is available at OS/390 R8 and above. The enhanced support works with OEM security only if they support the new SAF callable service IRRENS00. Environment dirty is normally caused by the sticky or the program controlled extended attribute not being set for a module loaded from the HFS or failing to load a module from a controlled MVS library, when the BPX.DAEMON facility is active. The program controlled extended attribute is ignored for executables residing in HFS filesystems mounted with the nosetuid or ignore-setuid option. The second page ofthe ISHELL, File_systems, Mount Table, Attributes panel will show if the ignore-setuid attribute is on (1=on). MVS libraries are controlled by defining profiles to the RACF PROGRAM class. You can define the program class using the RACF RDEFINE commands. If the PROGRAM class is already active, profiles can be added or altered using RALTER. After OS/390 R4 or with OW24881 installed a volser need not be specified on the RDEFINE / RALTER: RDEFINE PROGRAM * ADDMEM ('SYS1.LINKLIB'//NOPADCHK) UACC(READ) RALTER PROGRAM * ADDMEM ('CEE.SCEERUN'//NOPADCHK) UACC(READ) RALTER PROGRAM * ADDMEM ('SYS1.SEZALINK'//NOPADCHK) UACC(READ) A specific volser or '******' also may be specified: RALTER PROGRAM * ADDMEM ('CEE.SCEERUN'/'******'/NOPADCHK) UACC(READ) RALTER PROGRAM * ADDMEM ('CEE.SCEERUN'/123456/NOPADCHK) UACC(READ) Datasets for profiles defined with '******' as volsers must reside on the the IPL volume if there are multiple sysres volumes. Otherwise '******' indicates the current sysres volume. Changes made to the program class must be refreshed in storage with command: SETROPTS WHEN(PROGRAM) REFESH To display the profiles in the RACF program class use: RLIST PROGRAM * all The slip below will produce trace records whenever an HFS module is loaded. If the program control extended attribute is not set for a module loaded from the HFS, then that module will be the cause of the setting of the dirty bit. If the slip is set correctly and no records are produced, then the dirty bit is likely being set by the security product. See RACF APAR II08176 or contact OEM security for additional diagnostics. See "Note" under step 2 below, too. - To determine if the HFS version of the module is causing Environment dirty, follow these steps: --------------------------------------------------------------- 1. Run an AMBLIST of BPXINLPA to get the offsets of BPXPRLOD and BPXPRECP. 2. Start GTF using Jobname prompting and a Jobname wildcard. Note: In most cases Jobname prompting captures the data needed. However, when the trace data shows NO DATA - you may then want to run it again WITHOUT Jobname prompting and a Jobname wildcard (but be aware that this *will* result in checking being performed for *all* HFS loads across *all* environments). --------------------------------------------------------------- s gtf.gtf r xx,trace=slip,jobnamep r xx,jobname=job* r xx,end r xx,u Or, per "Note" in step 2: s gtf.gtf r xx,trace=slip r xx,end r xx,u -------------------------------------------------------------- 3. Set slip to catch setting of TCBNCTL in BPXPRECP & BPXPRLOD. xxxx, yyyy, zzz, and www are determined below depending on the level of the modules. The smallest of xxxx and yyyy is placed in position1. The other is placed in position2. The slip must be set before starting the daemon. TCBNCTL is set as the daemon executables are loaded on startup. -------------------------------------------------------------- slip set,if,a=trace, l=(bpxinlpa,position1,position2),trdata=(std,regs, GRr?+zzz?,+7,GRr?+zzz?,+F,GRr?+zzz?,+17,GRr?+zzz?,+1f, GRr?+zzz?,+27,GRr?+zzz?,+2F,GRr?+zzz?,+37, 13r?+www?,+7,13r?+www?,+F,13r?+www?,+17,13r?+www?,+1f, 13r?+www?,+27,13r?+www?,+2F,13r?+www?,+37),end (GR = 13 unless otherwise stated) -------------------------------------------------------------- 4. Set slip to ignore the intermediate instruction range in BPXINLPA. Add 1 to the value in position1 and subtract 1 from the value in position2. --------------------------------------------------------------- slip set,if,a=ignore,l=(bpxinlpa,position1 +1,position2 -1),end =============================================================== Module offsets by release. Additional release levels will be documented as needed. Contact OpenEdition Level 2 support. --------------------------------------------------------------- Where xxxx is the offset of BPXPRLOD within BPXINLPA plus the offset noted below in the middle column: --------------------------------------------------- BPXPRLOD xxxx zzz GR (GR=13 unless otherwise noted) --------------------------------------------------- HOM1130: BASE 096A 9BC UW20427 096A 9BC UW22904 0952 9BC UW31085 0962 9BC UW33197 0962 9BC UW37004 0962 9BC UW40861 0962 9BC UW42129 0962 9BC HOM1140: BASE 095A 9BC UW31086 096A 9BC UW31315 09CE 9BC UW33198 09CE 9BC UW40862 09CE 9BC UW42130 09CE 9BC HBB6603: BASE 09CE 9C4 UW40860 09CE 9BC UW42128 09CE 9BC UW42861 0A2E 9BC UW44424 0A2E 9BC UW45424 0A2E 9BC HBB6604: BASE 0A54 9CC UW40863 0A54 9CC UW42131 0A54 9CC UW42862 0AB4 9CC UW44426 0AB4 9CC UW44477 0A84 9CC UW45426 0A84 9CC HBB6605: BASE 0AFA A64 UW44476 0ACA A5C UW49279 0ACA A5C UW51851 0AD2 A5C UW53340 0AD2 A5C HBB6606: BASE 0A6C A94 UW51852 0A74 A94 UW53341 0A74 A94 UW60608 0A7C A94 UW64401 0A84 A94 JBB6607: BASE 0A74 A94 UW53342 0A74 A94 UW60610 0A74 A94 UW62103 0A74 A94 UW64403 0A84 A94 UW70442 0A84 A94 UW71338 0A84 A94 HBB6608: BASE 0ABC A94 UW60609 0AC4 A94 UW64402 0ACC A94 UW71336 0ACC A94 UW70440 0ACC A94 UW74956 0BE4 66D GR = 4 JBB6609 UW64404 0D3A C04 UW67407 0D3A C04 UW74958 0E52 7DD GR = 4 UW76973 0E52 7DD GR = 4 HBB7703: BASE 0DCA 7AD GR = 4 UW70441 0DCA 7AD GR = 4 UW71337 0DCA 7BD GR = 4 UW74957 0E16 7C5 GR = 4 UW76972 0E16 7C5 GR = 4 UW81105 0E16 7C5 GR = 4 HBB707 UW96005 1384 C3D GR = 4 =================================================== BPXPRECP yyyy www --------------------------------------------------- Where yyyy is the offset of BPXPRECP within BPXINLPA plus the offset noted below in the middle column: --------------------------------------------------- HOM1120: UW10117 0CD8 18C UW31174 0CD8 18C HOM1130: BASE 0E3A 198 UW20427 0FDA 198 UW27688 0FDA 198 UW30664 102A 198 UW31175 102A 198 UW33844 115A 198 UW37004 115A 198 HOM1140: BASE 1018 198 UW30665 1068 198 UW31176 1068 198 UW31368 1040 198 UW33845 1174 198 UW36927 11A0 198 UW46065 1216 198 HBB6603: BASE 111E 198 UW33843 1246 198 UW34960 125A 198 UW36926 128E 198 UW38319 127E 198 UW41243 127E 198 UW42861 1356 1C8 UW44964 138E 1C8 UW46063 1404 1C8 UW46905 141C 1C8 UW48369 1442 1C8 UW49989 145C 1C8 JBB6604: BASE 12B0 198 UW38320 12B0 198 UW39438 12F0 198 UW41244 12F0 198 UW42862 13C8 1C8 UW43065 13CA 1D0 UW44966 140A 1D0 UW46066 1480 1D0 UW46909 1498 1D0 UW48372 14BE 1D0 UW49992 14D8 1D0 UW59761 14D0 1D0 HBB6605: BASE 1412 218 UW44965 1492 210 UW46064 1508 210 UW46906 1520 210 UW48370 1546 210 UW49279 155E 210 UW49990 1578 210 UW53340 15B0 210 UW54287 1630 218 UW56448 16AA 210 UW59758 16AA 210 HBB6606: BASE 1538 210 UW48371 155E 210 UW49991 1578 210 UW53341 15B0 210 UW54288 1630 210 UW56449 16AA 210 UW59759 16AA 210 UW60608 16B2 210 UW64401 16BA 210 JBB6607: BASE 1668 210 UW53342 16A8 210 UW54289 172E 210 UW56450 179E 210 UW59762 179E 210 UW60610 17A6 210 UW62103 1BA6 214 UW63768 1BA6 214 UW64403 1BAE 214 UW75362 1BBA 214 HBB6608 BASE 1A52 210 UW59760 1A52 210 UW60609 1A5A 210 UW62102 1C0E 214 UW63767 1C0E 214 UW64402 1C16 214 UW71593 1C1A 214 UW74956 1CC0 230 JBB6609 UW64404 1C5A 214 UW74958 1D06 230 UW75363 1D12 230 HBB7703: BASE 1C40 22C UW71594 1C44 22C UW74957 1C8E 230 UW75361 1C9A 230 =============================================================== Trace records will build the pathname of the uncontrolled HFS module, 8 characters at a time. Building the pathname 8 characters at a time is necessary because, the variable length storage for the pathname structure is obtained at the time of the load. If GTF is requested to trace a data area that runs into unallocated storage, it will return 0 bytes in the trace record. We therefore can not attempt to trace a maximum length pathname in a single trace record because we run the risk of having nothing returned when storage for the pathname structure is of a length less then the assummed maximum. We know that storage is obtained a doubleword at a time so we can increase the length of the trace record by eight bytes until we reach the assumed maximum length of x'38' characters. If any of the later trace records try to access unallocated storage and get zero'd out by GTF, the earlier trace records will already have captured the pathname. JRENVDIRTY 090C02AF REASON 02AF 157 ERRNO=157 Examples: Problem encountered with RLOGIN. Users could not log on. Reason JRENVDIRTY Problem resolved as follows: The problem was with the "program control" bit of /usr/sbin/rlogind. This bit was off and caused the program to turn up dirty. Using ISHELL or extattr +p to turn
Local fix
Problem summary
Problem conclusion
Temporary fix
Comments
Closing for searchability.
APAR Information
APAR number
II10548
Reported component name
V2 LIB INFO ITE
Reported component ID
INFOV2LIB
Reported release
001
Status
CLOSED CAN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
1997-06-03
Closed date
1999-02-26
Last modified date
2023-04-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19M","label":"z\/OS Communications Server"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"001"}]
Document Information
Modified date:
26 April 2023