Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Restricting access to interprocess communication objects (MLIPCOBJ option) z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
If you have the SPECIAL attribute, and if the SECLABEL class is active, you can prevent users (except trusted and privileged started tasks) from accessing objects used for interprocess communication, such as semaphores, message queues, and shared memory, that do not have security labels. While the SETROPTS MLFSOBJ option is in effect, all interprocess communication objects must have security labels. To do this, enter:
Restriction: This
option cannot be activated when the SECLABEL class is inactive.To cancel the MLIPCOBJ option, specify MLIPCOBJ(INACTIVE) on the SETROPTS command. Guideline: Assign security labels to all users before activating MLIPCOBJ to ensure that all interprocess communication objects in progress are assigned security labels. One way to ensure this is to activate MLIPCOBJ at IPL time. Note: Do not specify SETROPTS MLIPCOBJ(ACTIVE) if any system sharing
the RACF® database is not at
the necessary software level for multilevel security support. Use
of the SETROPTS MLIPCOBJ option should not cause problems on these
systems, but it does not provide full protection on these systems.
For details, see z/OS Planning for Multilevel Security and the Common Criteria.
|
Copyright IBM Corporation 1990, 2014
|