z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Restricting access to interprocess communication objects (MLIPCOBJ option)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have the SPECIAL attribute, and if the SECLABEL class is active, you can prevent users (except trusted and privileged started tasks) from accessing objects used for interprocess communication, such as semaphores, message queues, and shared memory, that do not have security labels. While the SETROPTS MLFSOBJ option is in effect, all interprocess communication objects must have security labels.

To do this, enter: 
SETROPTS MLIPCOBJ(ACTIVE)
Restriction: This option cannot be activated when the SECLABEL class is inactive.

To cancel the MLIPCOBJ option, specify MLIPCOBJ(INACTIVE) on the SETROPTS command.

Guideline: Assign security labels to all users before activating MLIPCOBJ to ensure that all interprocess communication objects in progress are assigned security labels. One way to ensure this is to activate MLIPCOBJ at IPL time.

Note: Do not specify SETROPTS MLIPCOBJ(ACTIVE) if any system sharing the RACF® database is not at the necessary software level for multilevel security support. Use of the SETROPTS MLIPCOBJ option should not cause problems on these systems, but it does not provide full protection on these systems. For details, see z/OS Planning for Multilevel Security and the Common Criteria.
Parent topic: SETROPTS options related to security labels

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014