When the SECLABEL class is active, security labels can be set on z/OS UNIX resources in the following ways:

• When a physical file system or zFS aggregate is created, the file system root will be assigned the security label that is specified in the RACF® data set profile that covers the data set name. If a security label is not specified or if a data set profile does not exist, then a security label will not be assigned to the file system root.
• zFS file systems support the chlabel command which allows the setting of an initial security label on a file or directory. Use this command to set security labels on zFS files and directories after they have been created.
• If a directory has been assigned a security label, then new files and directories created within that directory will inherit a security label as follows:
  • If the parent directory is assigned a security label of SYSMULTI, the new file or directory is assigned the security label of the user. If the user has no security label, no label is assigned to the new object.
  • If the parent directory is assigned a security label other than SYSMULTI, the new file or directory is assigned the same security label as the parent directory.
• The rules for security label assignment are more extensive when running in a multilevel-secure environment. For more information, see z/OS Planning for Multilevel Security and the Common Criteria.