Format
chlabel [–cqR]
[–h|–L] seclabel pathname …
Description
chlabel sets
the security label of the files and directories specified by pathname.
Setting the security label is only allowed if the user has RACF® SPECIAL authority, and no
security label currently exists on the resource. Once a security label
is set, it cannot be changed.
seclabel is
a 1-8 character security label that corresponds to a RACF security level with a set of zero or more
security categories. See z/OS Planning for Multilevel Security and the Common Criteria for
restrictions on security label.
If chlabel could
not set the security label for a file or object, it continues to try
to change the other files but exits with a nonzero status.
When –R is
specified, chlabel will not cross device
boundaries from the directory specified by pathname unless
the –c option is used.
Options
- –c
- Cross device boundaries.
- –h
- Does not follow the symbolic link (or external link), but instead
makes changes to the symbolic link (or external link) itself. Cannot
be used with –L.
- –L
- Follow symbolic links. Cannot be used with –h.
- –q
- Quiet mode. chlabel suppresses all warning
messages. The condition that caused the warning does not affect the
exit value.
- –R
- chlabel sets the security label on all
the file objects and subdirectories under the directory specified
by pathname.
Usage notes
- See z/OS Planning for Multilevel Security and the Common Criteria for
more information about multilevel security, and security labels.
- chlabel will not set the security label
for a symbolic link, or for the file to which it points, unless either
the –h or –L option
is specified. If neither option is specified, chlabel prints
a warning, continues to the next file and exits with a nonzero status.
- chlabel is typically run to set up security
labels on file systems before multilevel security is activated.
- Only the zFS file system supports the setting of security labels.
- The SECLABEL class must be active before the chlabel command
will set a security label. If the SECLABEL class is not active, security
labels will not be set.
Exit values
- 0
- Successful completion
- 1
- Failure due to any of the following reasons:
- The user does not have RACF SPECIAL
authority
- The user specified a security label with more than 8 characters
- The file system does not support setting security labels
- The RACF SECLABEL class
is not active
- 2
- Command syntax error
- 3
- One or more warnings occurred, due to any of the following:
- The path name already has a security label assigned
- A symbolic link was encountered, but neither –h nor –L was
specified
- Device boundary not crossed
Examples
- To set the security label TOPSEC for file "secret_file":
chlabel TOPSEC secret_file
- To set the security label SYSLOW for a symbolic link "mylink":
chlabel -h SYSLOW mylink
- To set the security label l SYSLOW for the file to which the symbolic
link "mylink" points:
chlabel -L SYSLOW mylink
- To recursively set the security label SYSHIGH for all files, symbolic
links, and subdirectories under the directory "Team":
chlabel -Rh SYSHIGH Team