SECLABEL Keyword—Security Labels

Keywords › SECLABEL Keyword—Security Labels

SECLABEL Keyword—Security Labels

Valid on z/OS.

Use the SECLABEL keyword to define and remove security labels in the MLS record. A security administrator can create the security labels assigned to users, data, and resources. A list of available SECLABEL names can be assigned to an ACID, as well as a default label DFLTSLBL.

This keyword has the following format:

TSS ADDTO(MLS) SECLABEL(seclabel—name)
               SECEVEL(level—name)
              CATEGORY(category1,…,categoryn)
               SYSID(sysid1,…,sysidn)
               MLAUDIT(access1,…,accessn)

TSS REMOVE(MLS) SECLABEL(seclabel—name)

SECLABEL

Specifies the alphanumeric name of a security label. A SECLABEL cannot be removed from MLS if it is associated with a user or a resource class.

Size: 8 bytes

LEVEL

Specifies the name of a security level that was defined in the MLS record.

CATEGORY

(Optional) Specifies one or more categories that were defined in the MLS record.

SYSID

(Optional) Specifies one or more system IDs on which this security label can be used.

MLAUDIT(access[,access2,...,access8])

Specifies a list of up to eight access levels, under which MLS auditing is initiated for objects with the selected SECLABEL. Valid access types are READ, CREATE, WRITE, CONTROL, UPDATE, SCRATCH, FETCH, ALTER, and ALL. To audit the seclabel without regard to access, use ACCESS(ALL). If any other access level is entered or if MLAUDIT is not specified the default value READ is substituted.

The MLSECAUD control option must be activated for seclabel auditing to be performed. For information, see the Control Options Guide.

MLS seclabel auditing supports the ck_access, ck_process_owner, ck_owner_two_files, and R_ptrace UNIX callable services. Valid access levels to perform MLS seclabel auditing are:

READ—ck_access
WRITE—ck_access
CONTROL—ck_process_owner, ck_owner_two_files, and R_ptrace

The corresponding UNIX access type is displayed when reporting ck_access.

This keyword is used with:

The commands ADDTO an REMOVE
The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
ACID(MAINTAIN) and MISC5(MLS) authority

Examples: SECLABEL keyword

This example adds SECLABEL ADMIN to the MLS Record:

TSS ADDTO(MLS) SECLABEL(ADMIN)
              CATEGORY(PERSONNEL,ACCOUNTING)
               SECLEVEL(10)
               SYSID(SYS1)

This example removes the SECLABEL ADMIN:

TSS REMOVE(MLS) SECLABEL(ADMIN)

This example adds seclabel ADMIN to the dataset PAYROLL.RECORDS:

TSS ADDTO(MLS) DSN(PAYROLL.RECORDS) 
               SECLABEL(ADMIN)