When the SECLABEL class is active, security labels can be set on
z/OS UNIX resources
in the following ways:
- When a physical file system or zFS aggregate is created, the file
system root will be assigned the security label that is specified
in the RACF® data set profile
that covers the data set name. If a security label is not specified
or if a data set profile does not exist, then a security label will
not be assigned to the file system root.
- zFS file systems support the chlabel command
which allows the setting of an initial security label on a file or
directory. Use this command to set security labels on zFS files and
directories after they have been created.
- If a directory has been assigned a security label, then new files
and directories created within that directory will inherit a security
label as follows:
- If the parent directory is assigned a security label of SYSMULTI,
the new file or directory is assigned the security label of the user.
If the user has no security label, no label is assigned to the new
object.
- If the parent directory is assigned a security label other than
SYSMULTI, the new file or directory is assigned the same security
label as the parent directory.
- The rules for security label assignment are more extensive when
running in a multilevel-secure environment. For more information,
see z/OS Planning for Multilevel Security and the Common Criteria.