In my version of the VM:Secure Reference, only GROUP, LOGON BY, VM:Tape and VM:Schedule actions are documented as being rejected if NORULE REJECT is in effect. LINK is not mentioned. It looks like CLOSED isn't so closed, after all.
Of course, all bets are off if you really did change to NURULE REJECT :-) Regards, Richard Schuh ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Hughes, Jim Sent: Friday, November 20, 2009 8:29 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Z/VM 5.4 and VM:Secure running a CLOSED security system We are moving towards running VM:Secure with RULES enabled as a CLOSED security system. Our testing isn't going as well as we hoped. We have had RULES enabled for many years with NORULE ACCEPT in effect. We changed to NURULE REJECT and some funny things are happening. Anyone can issue any CP command with success. For instance, if I am on a general class G user without the OPTION LNKNOPASS directory statement, I can issue LINK MAINT 123 1 RR with success. MAINT's 123 disk does not have ALL as the password. In fact, it doesn't have any passwords at all. >From the same user, if I use VMSECURE QRULES JHUG LINK MAINT 123, VM:Secure >tells me the LINK would be rejected via NORULE DEFAULT. Would someone help us figure out what we've missed?? Thanks in advance. Here are the lines from the console. link maint 123 1 rr DASD 0001 LINKED R/O; R/W BY VMSECURE ; R/O BY 4 USERS Ready; T=0.01/0.01 11:24:15 vmsecure qrules jhug link maint 123 VMXACQ0223I Rejected via NORULE default ____________________ Jim Hughes 603-271-5586 "It is fun to do the impossible."