IPC objects

For communications using IPC objects, when RACF® creates an IPC security packet (ISP), if the SECLABEL class is active RACF copies the security label of the process, if one exists, into the ISP. RACF rejects requests for subsequent connections if the connecting process does not have a security label equivalent to the security label in the ISP. Once a security label has been assigned to an IPC object, it cannot be changed.

To establish multilevel security for IPC objects, activate the SECLABEL class and activate the MLIPCOBJ RACF option. If the SECLABEL class is active, and the MLIPCOBJ RACF option is not active, the system assigns a security label to an IPC object only if the creating process had one. If the IPC object does not have a security label, the system does not require a security label for connecting processes. However, if the connecting process does have a security label, the connection fails. If the SECLABEL class is active, activating the MLIPCOBJ option causes the system to require a security label for all IPC objects and for all connecting processes.

Parent topic: Security label processing for communications between z/OS UNIX processes