chlabel — Set the security label of files and directories
Format
chlabel [–cqR] [–h|–L] seclabel pathname …
Description
chlabel sets the security label of the files and directories specified by pathname. Setting the security label is only allowed if the user has RACF® SPECIAL authority, and no security label currently exists on the resource. Once a security label is set, it cannot be changed.
seclabel is a 1-8 character security label that corresponds to a RACF security level with a set of zero or more security categories. See z/OS Planning for Multilevel Security and the Common Criteria for restrictions on security label.
If chlabel could not set the security label for a file or object, it continues to try to change the other files but exits with a nonzero status.
When –R is specified, chlabel will not cross device boundaries from the directory specified by pathname unless the –c option is used.
Options
- –c
- Cross device boundaries.
- –h
- Does not follow the symbolic link (or external link), but instead makes changes to the symbolic link (or external link) itself. Cannot be used with –L.
- –L
- Follow symbolic links. Cannot be used with –h.
- –q
- Quiet mode. chlabel suppresses all warning messages. The condition that caused the warning does not affect the exit value.
- –R
- chlabel sets the security label on all the file objects and subdirectories under the directory specified by pathname.
Usage notes
- See z/OS Planning for Multilevel Security and the Common Criteria for more information about multilevel security, and security labels.
- chlabel will not set the security label for a symbolic link, or for the file to which it points, unless either the –h or –L option is specified. If neither option is specified, chlabel prints a warning, continues to the next file and exits with a nonzero status.
- chlabel is typically run to set up security labels on file systems before multilevel security is activated.
- Only the zFS file system supports the setting of security labels.
- The SECLABEL class must be active before the chlabel command will set a security label. If the SECLABEL class is not active, security labels will not be set.
Exit values
- 0
- Successful completion
- 1
- Failure due to any of the following reasons:
- The user does not have RACF SPECIAL authority
- The user specified a security label with more than 8 characters
- The file system does not support setting security labels
- The RACF SECLABEL class is not active
- 2
- Command syntax error
- 3
- One or more warnings occurred, due to any of the following:
- The path name already has a security label assigned
- A symbolic link was encountered, but neither –h nor –L was specified
- Device boundary not crossed
Examples
- To set the security label TOPSEC for file "secret_file":
chlabel TOPSEC secret_file
- To set the security label SYSLOW for a symbolic link "mylink":
chlabel -h SYSLOW mylink
- To set the security label l SYSLOW for the file to which the symbolic
link "mylink" points:
chlabel -L SYSLOW mylink
- To recursively set the security label SYSHIGH for all files, symbolic
links, and subdirectories under the directory "Team":
chlabel -Rh SYSHIGH Team