You can activate the SAF SECLABEL class and define security labels
on SERVAUTH profiles. This causes the security server to enforce mandatory
access control policies for those resources without fully activating
a multilevel secure environment. The z/OS® Communications
Server stack does not perform its extra mandatory access control policy
enforcement until you issue the RACF® command
SETROPTS MLACTIVE. When running with SETROPTS NOMLACTIVE, you should
not use unrestricted stacks or define network security zones with
a SYSMULTI security label.
When a NetAccess statement is encountered in TCPIP profile processing
and MLACTIVE has been set, the stack activates extra mandatory access
control policy enforcement in both restricted and unrestricted stacks
as follows:
- New sockets are allowed only if a STACKACCESS profile covers this
stack.
- Network access is allowed only to IP addresses that are mapped
into network security zones covered by NETACCESS profiles.
- Restricted stacks do not normally allow SYSMULTI tasks to have
network access to security zones with security labels that are not
equivalent to the stack's security label. For more information, see Exempting certain users of certain programs from full Network Access Control.
- Unrestricted stacks transmit packet labels both internally and
externally to enable an extra mandatory access control check, between
the sending task's security label and the receiving task's security
label, when both IP addresses are in security zones with a SYSMULTI
security label.
- Distributing stacks consider security labels in choosing target
applications.
- TN3270E Telnet servers consider security labels in mapping connections
to LU names.
- Internal configuration consistency checks are performed whenever
PROFILE.TCPIP or certain SERVAUTH class profile changes are made.