Enforcing multilevel security (MLACTIVE option)

If you have the SPECIAL attribute, and if the SECLABEL class is active, you can control whether security labels are required for certain resource classes. When MLACTIVE is in effect, the following requirements are enforced:

Requirements:

All work entering the system must be run by a RACF-defined user.
A security label must be assigned to all work entering the system, including batch jobs and users logging on to TSO and MVS™ consoles, started procedures, and to any application that supports security labels when users log on.
All user tasks running in a server's address space must have a security label that is equivalent to the security label of the address space.
You must either assign and grant permission to a default security label for every RACF® user ID, or permit user IDs to SYSLOW. Users without a default security label will attempt to run with SYSLOW when MLACTIVE(FAILURES) is in effect.
A security label must be assigned to all profiles in the following classes:
- APPCPORT
- APPCSERV
- APPCTP
- APPL
- DATASET
- DEVICES
- DIRECTRY
- DSNADM
- DSNR
- FILE
- GDSNBP and MDSNBP
- GDSNCL and MDSNCL
- GDSNDB and MDSNDB
- GDSNJR and MDSNJR
- GDSNPN and MDSNPN
- GDSNSC and MDSNSC
- GDSNSG and MDSNSG
- GDSNSM and MDSNSM
- GDSNSP and MDSNSP
- GDSNTB and MDSNTB
- GDSNTS and MDSNTS
- GDSNUF and MDSNUF
- SERVAUTH
- SERVER
- TAPEVOL
- TERMINAL
- USER
- VMDEV
- VMLAN
- VMMAC
- VMMDISK
- VMSEGMT
- WRITER
To enforce multilevel security, enter:
```
SETROPTS MLACTIVE(FAILURES)
```
Restriction: This option cannot be activated when the SECLABEL class is inactive.
You can also specify MLACTIVE(WARNING), which allows the users to log on or submit jobs. MLACTIVE(WARNING) sends a warning message to the user and to the security administrator when the user attempts to:
- Enter the system without a security label
- Access a resource in one of the previously mentioned classes but the resource has not been assigned a security label
If you do not specify the FAILURES option with the SETROPTS MLACTIVE command, then MLACTIVE(WARNING) will be activated.

To cancel the MLACTIVE option, specify NOMLACTIVE on the SETROPTS command.

Attention: Do not issue the SETROPTS MLACTIVE(FAILURES) command unless you have assigned appropriate security labels to users and to the resources they must access. To recover from such a situation, logon as a user with the SPECIAL attribute, specifying SYSHIGH as the current security label. Then, either assign security labels or issue SETROPTS NOMLACTIVE. If you turn on MLACTIVE and do not correctly define all profiles that need SECLABELs, IPL failures, or other serious problems can occur.
Guidelines:
- Back up your RACF database with a database that you know you can use to IPL.
- Define new system profiles (including classes such as DATASET, TERMINAL, TAPEVOL, APPL or any other active class that has SLBLREQ=YES in the class descriptor table) and ensure they have the correct security labels.
- Turn MLACTIVE on in WARNING mode.
- Watch out for relevant warning messages.
Data set and general resource profiles in WARNING mode: A user or task can access a resource that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access. (A data set or general resource is in WARNING mode when you define or modify the profile that protects it and you specify the WARNING operand.)