[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Seclabels
From:       Alan Altmark <Alan_Altmark () US ! IBM ! COM>
Date:       2017-02-28 18:07:05
Message-ID: OF8F40284E.C8C9440B-ON852580D5.0062BE4E-852580D5.006386F7 () notes ! na ! collabserv ! com
[Download RAW message or body]

On Tuesday, 02/28/2017 at 05:51 GMT, Bob Bauer <bauerrj@HOTMAIL.COM> 
wrote:
> We are considering what would be the impact if we enabled SECLABEL for 
some users and some datasets
> (no system datasets), but without enabling MLS.  As I read the manual, 
"Planning for Multilevel
> Security and the Common Criteria" I'm confused by the following 
statements:
>
> - Note that when the SECLABEL class is active, unless the security 
administrator has also set
> certain system options, a user needs a security label *only if* the 
resource the user wants to
> access has a security label, and resources are not required to
> have security labels.
>
> - You should assign security labels to *all* users before you activate 
the SECLABEL resource class.
>
> Some questions:
> 1. Do we need to assign security labels to all users?

Hmmm...  "Need".  Insufficient data.  However, there are RACF 
configurations that allow resource access even when a user does not have a 
SECLABEL.

> 2. If we don't enable MLS, then requests to write down are allowed, and 
users can copy data to a
> lower security label.  Could they also copy data to a dataset without a 
security label?

That depends on the MLACTIVE setting.  With NOMLACTIVE, yes, they can copy 
the data.

There are summary tables in the SAG that tell you what the results are for 
various conditions with various MLS/MLACTIVE/SECLABEL settings.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
Alan_Altmark@us.ibm.com
IBM Endicott
[prev in list] [next in list] [prev in thread] [next in thread]