Tivoli Access Manager for Operating Systems 6.0.0-TIV-PDO-FP0030

Download Description

Consult the readme file, 6.0.0-TIV-PDO-FP0030.README for complete instructions and information.

Problems fixed by patch 6.0.0-TIV-PDO-FP0030

APAR IV00271
Symptom: Sluggish behavior of system. The log file msg__kosserrs.log
contains large number of "lost contact with PDOSD" and
"still can not contact PDOSD" messages. The sluggish behavior
results from timeouts associated with the timeouts associated
with waiting for the daemon PDOSD to respond to TAMOS kernel
extension messages and authorization requests.

APAR IV02010
Symptom: On a busy system UNIX commands such as ls, whoami, or pwd fail
to execute. In one case the UNIX commands will continue to
fail until TAMOS shutdown occurs. The second case the UNIX
commands will execute after a period of time, but UNIX command
failures will reoccur.

APAR IV03275
Symptom: Sudo command alias not recognized. Multiple users issuing
the same pdossudo command alias repeatedly can result in
the following error;

AOSUT0921E The command alias <sudo-command-alias> is not a
recognized Sudo command.

APAR IV03850
Symptom: The /opt/pdos/sbin/cert_test.sh script fails when encountering
industry standard CA certs included in GSKIT 7.0.4.x.

Problems fixed by patch 6.0.0-TIV-PDO-FP0028

APAR IZ96037
Symptom: System hang. Analysis of system dump shows all TAMOS
lookup threads missing.

APAR IZ97796
Symptom: Add support for SLES 10.3 PPC (2.6.16.60-0.54.5)

APAR IZ97907
Symptom: System halt due to a program has tried to freed or redzone xmalloc
memory. System dump analysis shows the failing stack;

makeFidChain+00012C ()
pal_pathFidsFromDirVnh+000058 ()
kenv_envBuildPathFids+0000C0 ()
checkResPath+00018C ()
kazn_kpcFileCheckResource+000218 ()
kazn_kpcCheckResource+000098 ()
kazn_accessAllowed_6_5+000284 ()
csc_open+000104 ()
nct_openCommon+0001A0 ()
nct_open+0000C0 ()
.svc_instr+000110 ()

APAR IZ98641
Symptom: RHEL 4.5 only. TAMOS fails to start.

APAR IV00001
Symptom: RHEL 4.x or SLES 8.x. TAMOS kernel extension fails to load with
following error message;

AOSSR0142ETivoliAccessManagerforOperatingSystemskerneldriver
loadfail.

Analysis of /var/log/messages shows the following unknown symbol
message;

kernel: kail: Unknown symbol getnstimeofday

Problems fixed by patch 6.0.0-TIV-PDO-IF0027

APAR IZ90450
Symptom: System hang due to deadlock.
Locking Stack;

slock()
.simple_lock()
procLockForTwoPids()
kenv_procAdd()
aix_procHandler()
prochcall()
fork_common()
kforkx()
kfork()

Multiple Locked Stacks;

slock()
.simple_lock()
kenv_procPurgeStale2()
kenv_procAdd()
aix_procHandler()
prochcall()

APAR IZ93238
Symptom: Linux. Manual unloading of the TAMOS kernel modules (rmmod)
leaves the system in an unstable state.

APAR IZ93239
Symptom: Linux. Blocked for more than 120 seconds messages in syslogd
output file. Message example follows;

kernel: INFO: task ALU:2866 blocked for more than 120 seconds.
kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs"
disables this message.
kernel: ALU D ffff81000a376420 0 2866 1
2867 2865 (L-TLB)
kernel: ffff810070f83cf0 0000000000000046 0000000000000002
0000000000000000
kernel: 0000000000000000 000000000000000a ffff81007fe28040
ffffffff80309b60
kernel: 000000feb5cb3e06 000000000000237f ffff81007fe28228
0000000000000002
kernel: Call Trace:
kernel: :kail:kail_cond_wait+0x8f/0xd0
kernel: default_wake_function+0x0/0xe
kernel: default_wake_function+0x0/0xe
kernel: :kaznmod:
kpcf_asyncLUThread+0x24b/0x530
kernel: switch_uid+0x5f/0x71
kernel: daemonize+0x2fa/0x304
kernel: :kaznmod:kpcf_asyncLUThread+0x0/0x530
kernel: :kaznmod:
kthread_create_wrapper+0x35/0x50
kernel: :kaznmod:kpcf_asyncLUThread+0x0/0x530
kernel: child_rip+0xa/0x11
kernel: :kaznmod:kpcf_asyncLUThread+0x0/0x530
kernel: :kaznmod:
kthread_create_wrapper+0x0/0x50
kernel: child_rip+0x0/0x11

Problems fixed by patch 6.0.0-TIV-PDO-FP0026

APAR IZ78429
Symptom: Solaris Only. During fixpack removal the hard links to kaznmod
and kantli are not removed.

APAR IZ92270
Symptom: Add support for
SLES 10.3 (2.6.16.60-0.54.5) X86_32
SLES 10.3 (2.6.16.60-0.54.5) X86_32-bigsmp

APAR IZ92271
Symptom: Add support for AIX 7.1 on Power 7

Problems fixed by patch 6.0.0-TIV-PDO-IF0024

APAR IZ74937
Symptom: AIX only. Secure Shell daemon (sshd) failed to restart after
starting TAMOS.

APAR IZ77327
Symptom: HP-UX only. TAMOS kernel threads (kossd) experience CPU execution starvation. The
result is system performance degradation and potential system panic.

APAR IZ77898
Symptom: TAMOS shared memory detachment process taking too long due to
checkpoint-status logging occurring during the shared memory
detachment process.

APAR IZ84187
Symptom: Add support for RHEL 5.4 (2.6.18-164) X86_64

APAR IZ84202
Symptom: Add support for RHEL 5.5 (2.6.18-194) X86_64

APAR IZ84374
Symptom: Segmentation fault occurs in sprintf running policyview.
Stack trace from policyview core shows;

sprintf()
main()

APAR IZ84921
Symptom: Red Hat only. System crash caused by a NMI interrupt. Analysis
of system dump shows the following stack;

crash_kexec()
die_nmi()
nmi_watchdog_tick()
default_do_nmi()
do_nmi()
nmi()
.text.lock.spinlock()
kail_iclock_lock()
procSearch()
kenv_procDeleteX()
kail_sec_task_free_security()

APAR IZ85366
Symptom: Segmentation fault in pdosd. Analysis of core shows the following
stack trace;

objsig_record_hash()
objsig_db_hash_bucket()
objsig_db_hash_get_version()
objsig_db_get_state()
tcb_queue_element_inspect()
tcb_monitor_thread()

Problems fixed by patch 6.0.0-TIV-PDO-FP0023

APAR IZ56218
Symptom: Object with restrictive policy that contains a POP with
audit_permit_actions(rw) and audit_deny_actions(rwx). The audit
record will be not be created due to the audit_permit_actions
not including x permission and the audit_deny_actions containing
the x permission.

APAR IZ60154
Symptom: The Accessor Name (AN) audit record field missing from failed login
attempt when global auditing set to one of the following values;

none
trace_exec
trace_exec_l
trace_exec_root
trace_file
info

APAR IZ65323
Symptom: The implementation of the code which determines the name of a
GID uses the getgrgid_r() subroutine. The code can loop
multiple times before determination of the group name occurs,
causing the pdosd daemon to slow down. The system response
time can be affected by this occurrence and appear unresponsive
(hung).

APAR IZ66833
Symptom: AIX. The Login Location (LL) audit record field contains an extra
character when failed login occurs on system running CDE without
graphical boot.

APAR IZ67130
Symptom: AIX. Non root user can not start or stop TAMOS using rc.osseal on
system running AIX 5.3 Technology Level 9.

APAR IZ74159
Symptom: When an immune application, TCB/Immune-Programs/<path/application>
starts another immune application, the second immune application
is not treated as a immune application.

Problems fixed by patch 6.0.0-TIV-PDO-FP0022

APAR IZ44066
Symptom: Terminating TAMOS on a heavily loaded system or termination
of a heavily loaded application can cause system performance to
degrade.

APAR IZ45107
Symptom: HPUX. System hang due to kossd process in an infinite loop
due to EINTR signal being ignored. The follow stack trace
present in system dump.

kazndrv:kpcFileThread+0x308
kazndrv:kazn_kpcfRunAsync+0x24
kazndrv:kutil_kconfig+0xe4
kazndrv:kosseal_syscall+0x124
kazndrv:kazndrv_SysCall+0x34
coerce_scall_args+0xdc
syscall+0x544
syscallinit+0x55c

APAR IZ47425
Symptom: The rc.osseal script does not start TAMOS if an active running
process contains the characters "pdosd".

APAR IZ48147
Symptom: Large number of the following messages appear in
msg__kosserrs.log.

debug msg: pal_aix64_shmdt AIX 0
debug msg: (20392) decSharedUseCount !W! 38BD0000:Local? 1
shm 0 != (400:7000000) use: 0:1024(1) last: 1:T224

The volume of errors overload the message buffer which affects
performance.

APAR IZ48159
Symptom: Solaris. The rc.kosseal script, which is called by rc.osseal,
attempts to restart ssh. On Solaris 10, Solaris Secure Shell
(solaris' version of openssh) is started using the svcadm
command. The rc.kosseal script now determines if ssh is defined
as a service or if ssh is using /etc/init.d/sshd. If rc.kosseal
is unable to restart ssh then a message is displayed reminding
the user to manually restart ssh.

APAR IZ48167
Symptom: Solaris. System panic may occur after pdosd is shut down or
restarted. Panics are due to invalid anon_map memory
structures related to TAMOS shared memory and encountered
by several segvn operations in applications that use the
vfork() system call.

APAR IZ51004
Symptom: Linux. The Linux kernel contains a thread_info data structure
which is located at the end of the 4 KB stack page. A code path
can cause a "stack overflow" when the data structure is overwritten.
The result is a system panic.

APAR IZ51229
Symptom: pdoslrd core, analysis shows following stack

CPL_KeyValList::GetEntry ()
CPL_KeyValListS::SetEntryValue()
MFLR_FormatRec2FldList::formatSudoInfo()
MFLR_FormatRec2FldList::Format ()

APAR IZ51451
Symptom: Invalid extended attributes now logged in msg__pdosd.log

APAR IZ51748
Symptom: Solaris. Manual unloading the the TAMOS kernel modules
(modunload) leaves system in unstable state.

APAR IZ53568
Symptom: Audit log records in /var/pdos/tec/tec.log contain empty
or null values instead of "N/A"

APAR IZ54492
Symptom: AIX. If login policy not active and the user stanza "pwdchecks ="
is not defined then running the command "pdoscfg -login_policy off"
will cause the removal of the stanza "SYSTEM = "compat"" in
/etc/security/user.

APAR IZ54493
Symptom: AIX. Script pdosucfg_local not returning the stanza "SYSTEM ="
back to its original state in /etc/security/user.

APAR IZ54610
Symptom: Red Hat 4 Update 7 through Red Hat 5 Update 2 login policy not
working

APAR IZ54617 (CMVC Defect 91185)
Symptom: Add support for RHEL5 Update 2 (2.6.18-92) x86_64

APAR IZ54620 (CMVC Defect 89394)
Symptom: Only one login session allowed from source system to target system
when Login-Maxconcurrent set to 1.

APAR IZ54621 (CMVC Defect 90717)
Symptom: Large number of messages in msg__kosserrors.log of the format
49ef23cf 0x340b400a: debug msg: (14190) decSharedUseCount
!I! 2E0 600010bc080: shm FFFFFFFF7F500C00:7F500000 !=
(FFFFFFFF7F500000:C00) use: 1:1 last: 14190

APAR IZ54625 (CMVC Defect 91186)
Symptom: Add support for RHEL5 Update 2 (2.6.18-92) x86 (32bit)

APAR IZ54627 (CMVC Defect 91699)
Symptom: Kill permission not enforced on 32 bit version of RHEL5 Update2.

APAR IZ54833
Symptom: On AIX 6.1 an additional log file /var/pdos/log/knlist.log is
being generated. The addition of this log file can cause
permission problems when a non-root user logs on to the system.

APAR IZ55222 (CMVC Defect 91766)
Symptom: Add support for SLES 9 Service Pack 4 (2.6.507.308)
32bit nonSMP and SMP versions
64bit nonSMP and SMP versions

APAR IZ55233 (CMVC Defect 91768)
Symptom: Add support for SLES 10 Service Pack 1 (2.6.16.46-0.12)
32bit nonSMP and SMP versions
64bit nonSMP and SMP versions

APAR IZ55236 (CMVC Defect 97767)
Symptom: Add support for RHEL5 Update 3 (2.6.18-128) x86_64

APAR IZ55241 (CMVC Defect 91765)
Symptom: Add support for RHEL5 Update 1 (2.6.18-53) (32bit)

APAR IZ57928
Symptom: Red Hat. System becomes unresponsive or preforms as system crash
whenever the root VFSMOUNT can not be found. This is caused by an
"assert()" if the vfsmount root is NULL. The stack trace shows
the assert() occuring within find_vfsmount() from within one of
the TAMOS kail_sec_inode_xxx lsm routines.

APAR IZ58249
Symptom: The following error message is logged to msg__pdosd.log
pdosd ERROR oms mp authz_internal.c 455 0x00001415 AOSMS0905E
Unable to send Surrogate message response.
Error status is 0x35972116: AOSMS0278E
Bad transaction ID (pd / oms).
Message statistics: queue len 8, queued time 0 secs,
credential acquisition time 0 secs,
processing time 336 secs.


Problems fixed by patch 6.0.0-TIV-PDO-FP0019

APAR IZ36595
Documentation: By default on some Solaris installations, rsh logins
are intercepted during authorization phase by PAM using the
following definition in the /etc/pam.conf file:

"rsh auth sufficient pam_rhosts"

When TAMOS login policy is configured, the TAMOS
authorization module definition is placed into the
/etc/pam.conf after the "rsh auth sufficient pam_rhosts" line.

The Solaris "man pam.conf" states: If the service
module return success and no preceding required modules
returned failures, immediately return success without
calling any subsequent modules.

The subsequent TAMOS authorization module is
ignored because the rsh authorization module succeeded.
The administrator MUST hand edit the /etc/pam.conf. Change
"sufficient" to "required".

Read "man pam.conf" for more information. Generically, any
authorization module defined in /etc/pam.conf that is set as
sufficient will exhibit this behavior. If the TAMOS module is
defined after the sufficient module, TAMOS authorization is
bypassed.

define the rsh authorization module in /etc/pam.conf as

"rsh auth required pam_rhosts"

Documented in technotes #1367176

APAR IZ39355
Symptom: Solaris 10. Problem occurs due to an automated resource
handling that is associated with a TCB object. This situation can result
in a system panic. The following stack trace will be found in
the messages file after the panic:

unix:die+78 ()
unix:trap+9d4 ()
unix:ktl0+48 ()
genunix:kmem_alloc+28 ()
kazndrv:_init+18930 ()
kazndrv:_init+190e4 ()
kazndrv:_init+1a484 ()
kazndrv:_init+1b414 ()
kazndrv:_init+1b6d0 ()
kazndrv:_init+1beec ()
kazndrv:_init+151e0 ()
kazndrv:_init+14b84 ()
kazndrv:_init+b8bc ()
kazndrv:_init+d3e8 ()
kazndrv:_init+5900 ()

APAR IZ39447
Symptom: Solaris 10 may panic when TAMOS attempts to use the Solaris
procedure ufs_setattr(). TAMOS is not properly filling
a data structure for this procedure and a bug in the error
handling code of this Solaris procedure can cause a panic.
This fix prevents the Solaris error handling code from being
executed. Correction of the Solaris error handling code
accomplished by installing Solaris fix, Bug ID: 64655060.

APAR IZ40017
Symptom: AIX, when Login-MaxpasswordDays policy is set, warning mode
is on, and a user logs with an expired password, the user is
still prompted to change their password.

APAR IZ40185
Symptom: Solaris System panic occurs; Panic string: AD TRAP: type=31
rp=..... addr=8 mmu_fsr=0 occurred in module "kazndrv" due
to a NULL pointer dereference.

Stack trace;
<trap>kazndrv:pal_sun_unmap_segment+0x1c()
kazndrv:kenv_procVFShmat+0x1bc()
kazndrv:kenv_procShmat+0x2e8()
kazndrv:kenv_procGetPathMem+0x68()
kazndrv:nct_copyPath+0x4c()
kazndrv:nct_processPath+0x188()
kazndrv:nct_openCommon+0xf4()
kazndrv:c_open+0x168()
kazndrv:nct_open32+0xa0()

APAR IZ40445
Symptom: The LSM routine "security_task_free()" is being called
from 2 different environments.
1) From the scheduler
2) From with ill-task related system calls.

The TAMOS kernel driver is registered as a Security Module,
TAMOS replaces SELinux as the registered Security Module.
All LSM routines are TAMOS kernel routines, not SELinux kernel routines.

In this problem, the linux kernel LSM routine,
security_task_free(), calls through the LSM jump table entry,
"task_free_security", which is a function pointer to the
TAMOS LSM kernel routine kail_sec_task_free_security().

The TAMOS LSM kill task routine, kail_sec_task_free_security(),
is can be called from the Linux scheduler. The Linux scheduler a more
restrictive environment than the LSM system call environment.

The TAMOS kernel routine, kail_sec_task_free_security(), can not
perform any semaphore locking, when called from within the Linux
scheduler environment.

The scenario that causes the problem requires the following
to occur, at the same time, and within a multithreaded
process.

1) The process is being terminated while thread 1 is in the
middle of a system call such as "mount".

2) Thread 2 is in the middle of another system call that
requires the TAMOS kernel process structure for
process to be locked.

3) Thread 1 will eventually call the following, due to the
task termination, at the same time, which the thread 2
has the TAMOS process structure locked.

schedule()-> put_task_struct()->security_task_free()
-> kail_sec_task_free_security()->pal_mutex_lock()

Thread 2 has the TAMOS process structure locked causes
the down() routine to be called by kail_sec_task_free_security(),
in thread 1, which calls schedule() to wait for the process
structure mutex lock to be cleared.

When kail_sec_task_free_security() is called by the LSM
system, from within the kill-task system calls there are no
problems. Since the kail_sec_task_free_security routine is
called from within the scheduler, the routine can not longer
clean internal process information directly.

APAR IZ41673
Symptom: AIX. Unconfiguring login policy the SYSTEM= line is written
containing an additional space. Example: SYSTEM=" compat"

APAR IZ42720
Symptom: AIX. Logins fail when login policy active and kernel
extensions not loaded.

APAR IZ43680
Symptom: Unexpected behavior (including system panics) may occur
when another product intercepts any of the fork system calls.

APAR IZ44113
Symptom: AIX 5.3. System core occurs starting 6.0.0 on Power 6
hardware. Resulting stack trace;
.simple_lock_try()
pal_mutex_held+000014 ()
doSymLinkX+0002D0 ()
refreshFileResX+000568 ()
kazn_kpcFileAddResource+000304 ()
kazn_kpcAddResource+000054 ()
resourceNotify+0003A0 ()
kazn_syscall+000154 ()
kosseal_syscall+000148 ()
kazn_aixSyscall32+000068 ()

APAR IZ49937 (CMVC Defect 86244)
Symptom: AIX. cfgkazn() will not detect whether TAMOS is loaded due to
knlist() function failing. Resulting in the following
messages during when "rc.osseal start" is run:

Loading Tivoli Access Manager for Operating Systems
kernel driver
Failure from kosseal setting checksum, status 40002.

APAR IZ49957 (CMVC Defect 89287)
Symptom: Add support for RHEL4 U7 (2.6.9-78) x86

APAR IZ49961 (CMVC Defect 89594)
Symptom: Add support for RHEL5 U1 x86_64 (2.6.18-53)

Problems fixed by patch 6.0.0-TIV-PDO-FP0017

APAR IZ15958
Symptom: DB2 Version 6 application callling open() returns EFAULT
when accessing /home/idsinst2/sqllib/.ftok

APAR IZ19351
Symptom: The hanetselect process of Sun's Cluster Safelink
experiencing memory leak. Analysis show execev()
failed with EFAULT during the memory leak.

APAR IZ20738
Symptom: When configuring lpm on AIX (pdoscfg -login_policy on)
and the SYSTEM= line is not specified in the default:
stanza in the /etc/security/user file before configuring,
pdoscfg -login_policy on will insert a blank line
SYSTEM= line.

APAR IZ23251
Symptom: Compressed backup audit.log files are being tagged with
v3700.

APAR IZ24436
Symptom: When using a remote user registry, such as LDAP, pdoscfg
fails configuration. An AOSCF1345E error in
/var/pdos/log/msg__pdoscfg.log shows that group osseal cannot
be found.

APAR IZ35469
Symptom: The pdosd daemon may crash when loading policy that includes
policy objects with an ACL template with file references in it.
Crashes depend on the order the policy is loaded.

APAR IZ36554
Symptom: Linux only. Once TAMOS kernel modules are loaded, and a program
is executed, the file system containing the program cam no longer
be unmounted.

APAR IZ37533
Symptom: Solaris only. System may kernel panic when a parent process is
started before TAMOS starts and shared memory segments are leaked.
Occasionally a mutex unlock is attempted for the parent process data
structure when it does not exist. Analysis of the system crash files
show kenv_procShmat() as the cause of the kernel panic.

CMVC Defect 82895
Symptom: When configuring in to a non-default TAM domain and the
once-only policy has already been run in the default TAM
domain, the TAMOS users are imported in to the non-default
domain. During this process pdoscfg logs messages indicating
this has successfully occurred. These messages can be garbled

CMVC Defect 83571
Symptom: System can hang while trying to kill processes/task that contain child processes.

CMVC Defect 85603
Symptom: Linux kernels 2.6.x can hang due to a page-fault crash when
trace_exec auditing is enabled, such as with:

pdosctl -a trace_exec:on

Stack trace shows that the problem is in a TAMOS kernel
auditing support routine: "kail_copy_exec_argv"

#6 [cd51bbd4] do_page_fault at c011b258
#7 [cd51bcb4] error_code (via page_fault) at c02d69d9
#8 [cd51bcf0] kail_copy_exec_argv at f8bb7c79
#9 [cd51bd08] pal_expandExecArgsMach at f8c1b28d
#10 [cd51bd1c] pal_expandExecArgs at f8c1b197
#11 [cd51bd24] buildTraceFileSRN at f8c1dd69
#12 [cd51bd68] kaud_auditTraceEvent at f8c1e32b
#13 [cd51bdc8] kazn_accessAllowed at f8c1e985

Problems fixed by patch 6.0.0-TIV-PDO-FP0013

APAR IZ06605
Symptom: pdosaudview -F concise target SRN (ARS field) prints over multiple
lines.

APAR IZ15908
Symptom: When reconfiguring TAMOS after ldap's ssl certificate has been
changed, pdoscfg (-registry_ssl_cacert or -ldap_ssl_cacert)
command does not update the kdb file resulting in the following
pdosd log error when restarting TAMOS.

2008-02-26-19:42:53.865+00:00I----- 0x16B480C9 pdosd ERROR rgy ira
ira_handle.c 776 0x00000001 HPDRG0201E Error code 0x74 was
received from the LDAP server. Error text: "Failed to connect to ssl
server.".
2008-02-26-19:42:53.866+00:00I----- 0x35A53082 pdosd ERROR osd pdosd
cas_int.c 3558 0x00000001 AOSSD0130E Authorization API failure:
[00000001:14c0130c] HPDMG0780E The SSL handshake failed when
connecting to the LDAP server.

APAR IZ17511
Symptom: The PDOSD daemon cores due to exceeding the process limit size.

APAR IZ19021
Symptom: A TAMOS daemon can hang trying to manually terminate one of the
TAMOS daemons, such as PDOSD, using the "kill" command. This hang
can occur if the process termination occurs while the TAMOS kernel
code is in the middle of a I/O read function or a cond_wait type
function and it returns with an errno of EINTR.

APAR IZ19024
Symptom: Group owership of pam.conf changes unexpectly during running of
pdoscfg -login_policy on/off.

APAR IZ20916
Symptom: Sysroute of APAR IZ11437. PDOSD hangs after attempting to restart
TAMOS: using rc.osseal stop then rc.osseal start

APAR IZ22110
Symptom: PDOSD not terminating.

APAR IZ22281
Symptom: AIX only. System can hang while trying to kill processes/task using
the process group ID. This hang can only occur if there are several
processes running, which are being terminated at the same time using
the process group ID

APAR IZ22320
Symptom: PDOSD not terminating: rc.osseal stop" reports that PDOSD did not
terminate within 180 seconds and PDOSD will not terminate using
"kill -9" command

CMVC Defect 81353
Symptom: HPUX and Linux only. After system reboot mknod error messages
may be seen.

CMVC Defect 83179
Symptom: HPUX, Linux, Solaris only. ssh based logins (ssh, sftp, scp, etc.)
that use authkey authentication will be denied login because the
PAM authorization phase does not run. The log file
msg__pdoslpmd.log contains "No failure record was found for login
by <username>" errors. See section 9.4 Secure Shell (SSH)
Authentication Key Usage for details.

CMVC Defect 83544
Symptom: HPUX and Solaris only. Startup scripts altered to not load TAMOS
STREAMS module after system reboot. See section 9.5 Do Not Load
TAMOS STREAMS module.

CMVC Defect 83823
Symptom: PDOSD can, erroneously, set or reset ISOLATION mode, without
performing an LDAP request to verify connectivity. This wrong,
ISOLATION mode, state will only last for at most a few minutes.

Problems fixed by patch 6.0.0-TIV-PDO-FP0012

APAR IZ03897
Symptom: HPUX, Solaris and AIX: During high network utilization, the
STREAMS system would cause the system to appear sluggish and/or
core dumps would show that panics within streams code or
ncttli_service() due to an invalid control block (CBP), managed
by TAMOS. The control block became invalid when an associated
close was allowed to complete, and free the CBP, before the
ncttli_service() routine was finished with the CBP. On Solaris
and AIX, the result is poor performance followed by a possible
system crash. On HPUX, the result is poor performance.

APAR IZ09423
Symptom: After a period of time a system can hang. Heavily loaded systems
with many CPUs are most vulnerable. On analysis of a forced dump
from the hung system, many processes will be blocked in the TAMOS
kazndrv kernel module. The will be waiting for a free shared memory
slot used to communicate with pdosd. They will be waiting on the
freeCond kenv_memState condition variable and will be blocked even
though there is a single free shared memory slot.

APAR IZ09626
Symptom: Unexpected shmdt() error in 64bit application running on AIX using
32bit kernel. The error indicated the shared memory segment is
already detached. When the first shmdt() is made by a 64bit
application TAMOS traps the shmdt and detaches TAMOS' shared memory
segment. aix_shmat() is called but only the lower 32bit address is
passed back to the OS. The overwritten upper 32bits remain.

APAR IZ13940
Symptom: Move command (mv) hangs system if both files are protected by
ACLs. Similarly passwd command hangs system if /etc/passwd
and temp file used by passwd are protected by ACLs.

CMVC Defect 81702
Symptom: File descriptor leak. File descriptors remain open on HP-UX.

CMVC Defect 81748
Symptom: TAMOS STREAMS routine ncttli_close() hangs indefinitely. Core
dump will show ncttli_close() is waiting in pal_hp_cond_wait().

CMVC Defect 82250
Symptom: Kernel drivers fail to load on HP-UX and Solaris. System logs
report undefined symbol "pal_aix64_shmdt".

CMVC Defect 82662
Symptom: Killing the "mv command" can cause a hang when both the source
and destination file are protected by policy.

Problems fixed by patch 6.0.0-TIV-PDO-FP0010

APAR IZ06356
Symptom: pdoscfg fails configuration when gskit 7.0.4.11 is installed.
PD.RTE shipped with TAM 6.0.0-TIV-TAM-FP0009 requires installation
of gskit 7.0.4.11. pdoscfg uses gsk7icmd to verify the certificate
lifetime. The pdoscfg command calls /opt/pdos/sbin/cert_test.sh.
cert_test.sh calls gsk7icmd. The output format for gsk7icmd has
changed. pdoscfg now checks for the old and new output format of
gsk7icmd

APAR IZ06531
Symptom: SuSE Linux on s390x 64-bit only. When the TAMOS kernel driver is
initializing on an s390x system with more than 2GB of memory, the
kernel driver will not load or will generate a segmentation fault
core.

APAR IZ07737
Symptom: System Crash in kpcFileEpochNotify.

The following stack is from AIX. On other platforms (Solaris,
HPUX), the stack will look similiar, but not the same. Look for
kpcFileEpochNotify() calling kt_Event3(). The stack will look
similiar to the following:

strlen+000024 ()
kt_AppendRecord+000100
kt_Event3+000028
kazn_kpcFileEpochNotify+000108
kazn_kpcCommitPolicyEpoch+000074
kazn_syscall+0003B0
kosseal_syscall+000110
kazn_aixSyscall32+000068
.svc_instr+000110

APAR IZ07926
Symptom: The pdosd daemon produced a core file. A segmentation fault
occurred in the wc_net_protocol_free() function.

Using a core debug program, such as dbx on AIX, the error stack will
look similar to the following:
wc_net_protocol_free()
wc_net_outgoing_protocol_free_nolock()
wildcard_add_net_outgoing()
process_net_entry()
sendto_kpcapi()
kpcmgrOnUpdate()

APAR IZ11246 (CMVC defect 79674)
Symptom: TAMOS 6.0 support for AIX 6.1

TAMOS 6.0, with fixpack 6.0.0-TIV-PDO-FP0010 and above, supports
AIX 6.1 with limitations. TAMOS is not supported on AIX 6.1
systems using Workspace Partitions (WPARs).

APAR IZ11255 (CMVC defect 79730)
Symptom: cert_test.sh will fail in some instances: when using active
directory or when ldap ssl is configured on a non-default port
(not 636). The cert_test.sh script can receive added options for
the ldapsearch command using one of the following methods:
- Define an LDAPARGS shell variable (e.g. export LDAPARGS="-p 1234")
or
- Define a file /opt/pdos/etc/.cert_test_args which has shell
variable assignment to LDAPARGS. The .cert_test_args file will
be sourced into the cert_test.sh.

If the LDAPARGS variable is a defined shell variable, the
.cert_test_args file is ignored.

Problems fixed by patch 6.0.0-TIV-PDO-FP0009

APAR IY97890
Symptom: HPUX only. When starting TAMOS, the TAMOS kernel driver loads if not
previously loaded. TAMOS makes /dev/kazndrv device and TAMOS gets
the major number from the loading of the kernel module. TAMOS was
then stopped and HP kernel updates were applied. When the machine
is rebooted, the /dev/kazndrv device still exists with the original
major number. The new module is assigned to the major number that
kazndrv has previously used. TAMOS PAM module attempts to access
/dev/kazndrv, which is pointing to the wrong major number. This
situation may cause a system crash.

APAR IY99408
Symptom: AIX only. The pdoslpmd daemon leaks file descriptors when an
unknown/undefined user attempts to login. (e.g. user mistypes a
username, or user tries to guess a username) This problem to
occurs only if TAMOS auditing is turned on.

Eventually, pdoslpmd may stop operating due to too many files open.
Messages similar to the following will be written to the
msg__pdoslpmd.log file:

2007-05-02-22:16:47.141+00:00I----- 0x35A6268C pdoslpmd ERROR oss db
file_lock.c 131 0x00000809 AOSSS1676E Could not open the lock file
/var/pdos/umsg/pdosd_ctrl.lock: Too many open files: 24

APAR IY99814
Symptom: Two Policy definitions are setup on the same executable. One in
the TCB, another in File policy. The File policy contains a
wildcard. Although a restrictive ACL is attached to the object
defining File policy, the action is permitted.

example:
pdadmin> object create \
/OSSEAL/branch/TCB/Secure-Programs/usr/bin/test-su "" 1 i yes
pdadmin> object create \
/OSSEAL/branch/File/usr/*/test-su "" 1 i yes
pdadmin> acl create deny-user
pdadmin> acl modify deny-user set user testusr1 T[OSSEAL]lr
pdadmin> acl modify deny-user set any-other T[OSSEAL]lrx
pdadmin> acl attach /OSSEAL/branch/File/usr/*/test-su deny-user

CMVC Defect 76842
Symptom: Added support for SLES9 U.S. Daylight Savings Time 2007 Date
Change (2.6.5-7.282 kernel). See support list in section 1.2 of
this README.

CMVC Defect 77558
Symptom: Added support for RHEL4 Update 5 (2.6.9-5 kernel). See support
list in section 1.2 of this README.

Problems fixed by patch 6.0.0-TIV-PDO-FP0007

APAR IY93386
Symptom: The pdosd daemon created a core file during replication of
the policy database.
Analysis of the core file shows the following stack:

Segmentation fault in wc_net_service_free at 0x1006488c ($t41)
0x1006488c (wc_net_service_free+0x98) 90040004 stw r0,0x4(r4)

APAR IY94497
Symptom: HPUX 11.23 (11iv2) only. The HPUX kernel cannot be rebuilt if
TAMOS kernel has been loaded.

APAR IY95481
Symptom: Solaris only. Processes may hang on Solaris in a socket close, with
a stack (from the kernel debugger) similar to the following:

genunix:cv_timedwait+0x98
kazndrv:pal_condTimedWait+0x74
kazntli:ncttli_close+0x88
genunix:qdetach+0x90
genunix:strclose+0x3c8
sockfs:sock_close+0xf8
genunix:closef+0x58
genunix:closeandsetf+0x384
genunix:close+0x8
kazndrv:nct_close32+0x34
unix:syscall_trap32+0xa8

APAR IY96647
Symptom: Slow performance with a large number of similar messages
in the output of the kossdump.sh script or the kazntrace utility:

"Requester (18) one of 95 waiters for none, 36 waits".

Truss on slowly running processes will show numerous open() function
calls.

Problems fixed by patch 6.0.0-TIV-PDO-FP0006

APAR IY90153
Symptom: Solaris only. Mounting of automounted directories can be
mounted from the same thread. When this automounted directory
starts to mount, it can hang.

APAR IY90284
Documentation: Solaris only. This fixpack's README corrects the TAMOS
6.0 Release notes Solaris prerequisites list.

APAR IY90381
Symptom: System crash with stack similar to the following:

Stack from AIX:
CPU 0 CSA F0000000303A7780 at time of crash, error code for
LEDs: 700

pvthread+046500 STACK:
kazn51.ext:pal_unpinMem+000020
kazn51.ext:kenv_pathMemFini+00041C
kazn51.ext:kazn_syscall+000A28
kazn51.ext:kosseal_syscall+000110
kazn51.ext:kazn_aixSyscall32+000068
.svc_instr+0000FC

Multiple copies of pdosd was running concurrently. One copy of
pdosd was dumping core. Due to a disk problem, pdosd was
terminating abnormally and being restarted by the watchdog
repetitively. Unpinned memory had been freed by another thread
that called kazn_pathMemFini. A lock has been added to ensure
that only one pdosd process can initialize and destroy the path
memory at one time.

This APAR was found on AIX. This problem could occur on other
platforms.

APAR IY92281
Symptom: The sigsend system call returns error 11 (EPERM) if AMOS
kernel drivers are loaded and AMOS is not running.

APAR IY92719 (Sysroute of IY76317)
Symptom: The pdoslradm command does not process all audit records in
batch mode and completion action is set to delete. This problem
occurs when pdoslradm -b is executed frequently.

APAR IY92748
Symptom: HPUX only. When using ssh, file descriptors remain open for
TAMOS created files called /var/pdos/lpm/<processID>, where
<processID> is the PID. For example: /var/pdos/lpm/48576.

APAR IY92750
Symptom: HPUX only. When a network file system mount takes a long time
to respond and the kossd daemon can become defunct.

APAR IY93558
Symptom: AIX only. Native file permission of the /etc/security/user
file change after unconfigure and reconfigure of TAMOS

Problems fixed by patch 6.0.0-TIV-PDO-FP0005

APAR IY92583
Symptom: Audit tracing for a user still occurs after the AuditTrace object
for this user has been deleted. such as:
"object delete /OSSEAL/<branchName>/AuditTrace/User/<userName>/all"

APAR IY93441 (CMVC defect 74696)
Symptom: HPUX only. System crash due to recursive call. Occurs when a 64
bit application detaches a shared memory segment using the shmdt
system call. The stack output looks similar to the following:

panic+0x8c
_mp_b_sema_sleep+0x1bc
_b_sema_adaptive_wait+0x20
b_sema_adaptive_wait+0x20
procSearch+0x70
kenv_procCheckShmat+0x34
nct_shmdt32+0x9c
pal_shmdt+0x3c
kenv_procCheckShmat+0x90
nct_shmdt32+0x9c
syscall+0x544
syscallinit+0x55c

Problems fixed by patch 6.0.0-TIV-PDO-FP0003

APAR IY85237
Symptom: Some applications may fail to start when TAMOS is running. There
will be errors in the /var/pdos/log/msg__kosserrs.log referencing
nct_copyPath and aix_shmat failures.

APAR IY87811
Symptom: Applications may fail to attach shared memory segments and/or
system calls may fail with an error of EFAULT. The problem was
reproduced running the db2ldif command on a system running TAM
server, DB2, IDS Server (LDAP) and TAMOS. Other applications may
exhibit the same behavior.

APAR IY88727
Symptom: With TAMOS login policy enabled and AIX 5.3 ML4 and IY80049 or AIX
5.3 ML, the system will not allow users to log in. The fix is to
add "options=authonly" to the methods.cfg file in the PDOS stanzas.

APAR IY89673
Symptom: Solaris only. Application hangs in the TAMOS kernel streams
module, with a stack similar to the following:

genunix:cv_wait+0x38
kazntli:ncttli_close+0x70
genunix:qdetach+0x90
genunix:strclose+0x3c8
sockfs:sock_close+0xf8
genunix:closef+0x58
genunix:closeandsetf+0x384
genunix:close+0x8
kazndrv:nct_close32+0x34
unix:syscall_trap32+0xa8

APAR IY89743
Symptom: HPUX Only. The TAMOS daemons (pdosd, pdoslpmd, pdosauditd) can
core due to interaction with the LDAP-UX Client. The problem was
caused by an LDAP-UX defect (fixed in v4). The TAMOS daemons did
not define enough stack space when using the UNIX getpw*/getgr*
functions. A work around is to allow a larger stack size. Since
larger stacks mean more memory consumption, this APAR is going to
be enabled by default.

Contact TAMOS L2 support for instructions about how to enable larger
process stack size for HPUX.

APAR IY89939
Symptom: HPUX only. Some programs will not run while TAMOS is running. The
affected programs can be determined with the chatr command.

# chatr <filename>
look for the following lines:
third quadrant private data space enabled
fourth quadrant private data space disabled

If chatr displays the above output, the program is affected and
this APAR will address the problem.

If the fourth quadrant private data space is enabled the program
will not execute if TAMOS is running, even with this APAR applied.
To make the program work properly with TAMOS running, either
1) make the program immune in the TCB
or
2) modify the program with the chatr command:

# chatr +q4p disable filename

Note that changing the program with chatr will change the amount
of memory available to the program.

APAR IY90906
Symptom: Solaris only. System will hang with processes unable to fork,
waiting on a condition variable in If 32 calls could fail, the
result is a deadlock in the TAMOS kernel module code.

APAR IY90960
Symptom: The permit_audit_actions and permit_deny actions extended
attributes are ignored when auditing a defined resource. This
function is discussed in the TAMOS Administrator Guide, Chapter 7,
page 199. The permit_audit_actions and permit_deny_actions do not
work as documented.

Problems fixed by patch 6.0.0-TIV-PDO-FP0001

CMVC Defect 70671
Symptom: Performance enhancement of net output code

CMVC Defect 71194
Symptom: User-level audit loginpermit does not work

CMVC Defect 71514
Symptom: Remove use of strptime()in pdoslrd

CMVC Defect 72086
Symptom: Linux SLES9/RHEL4: umount, mount not forcing file upate in cache

APAR IY77779
Symptom: On system that has Login-MaxFailedLogin policy defined and a user
logs into the system using a login program that reprompts for a
password, the user can enter more incorrect passwords than the
MaxFailedLogin policy allows. It is recommended that login user
exception policy is written for these user IDs that are used for
rapid automated logins. Set the Login-MaxFailedLogin to "0".

APAR IY80870
Symptom: When pdossudo encounters long argument list, 512 arguments
or greater, pdossudo terminates with an error message.

APAR IY83273
Symptom: Solaris only. When transferring large files (over 100MB?),
to a solaris system, file corruption can occur.

APAR IY84508
Symptom: If policy is defined on a symbolic link and policy is also defined
on the actual file system object, both policies will be evaluated.
Policy on parent objects will also be evaluated in this case. The
actual file system object should be the only policy evaluated.

APAR IY85751
Symptom: AIX only. Blank lines above usernames containing numbers are
being removed when login policy is configured.

APAR IY87208
Symptom: Linux SLES9/NLD9/RHEL4 only. When doing trace_exec auditing, the
arguments for the file getting executed are not showing up in the
audit record.

APAR IY87809
Symptom: If a program listed under Immune-Programs in the TCB calls an exec
of itself, the resulting program will not be immune.

APAR IY88654
Symptom: When a user defines Access-Restrictions with the Traverse "T"
permission before the [OSSEAL] action group, a memory leak can
occur. The daemon pdosd will continue to grow larger over time.