Steps for creating a separate home directory for each security label

Interactive users of z/OS® UNIX System Services that are permitted to log on with more than one security label must have a separate home directory for each security label.

Before you begin

This approach is similar to the approach shown in z/OS Planning for Multilevel Security and the Common Criteria.

Procedure

Perform the following steps to create a separate home directory for each security label:

  1. For each supported security label:
    1. Log on to an administrative user ID with that security label.
    2. Create a directory with the name of that security label under the /u directory.
    3. For each user permitted to that security label, create a home directory under that security label directory.
  2. Create a symbolic link in the /u directory using the special value "$SYSSECR/", perhaps named symsecr as follows: 
    ln  -s  "$SYSSECR/"  /u/symsecr
    Tip: When issuing this command from the shell, use double quotation marks around the $SYSSECR/ string so that the shell does not attempt variable substitution before passing it to the ln command.
  3. Define all users' home directories to be '/u/symsecr/user' as follows: 
    ALTUSER user OMVS(HOME('/u/symsecr/user'))

Results

This approach is useful in many other situations where a different configuration is required for different security labels.
Parent topic: Planning for interactive UNIX System Services users in a multilevel secure environment