chlabel - Set the security label of files and directories

Format

chlabel [-cqR] [-h|-L] seclabel pathname ...

Description

chlabel sets the security label of the files and directories that are specified by pathname. Setting the security label is only allowed if the user has RACF® SPECIAL authority, and no security label currently exists on the resource. Once a security label is set, it cannot be changed.

seclabel is a 1-8 character security label that corresponds to a RACF security level with a set of zero or more security categories.

If chlabel could not set the security label for a file or object, it continues to try to change the other files but exits with a nonzero status.

When -R is specified, chlabel will not cross device boundaries from the directory that is specified by pathname unless the -c option is used.

Options

-c
Cross device boundaries.
-h
Does not follow the symbolic link (or external link), but instead makes changes to the symbolic link (or external link) itself. Cannot be used with -L.
-L
Follow symbolic links. Cannot be used with -h.
-q
Quiet mode. chlabel suppresses all warning messages. The condition that caused the warning does not affect the exit value.
-R
chlabel sets the security label on all the file objects and subdirectories under the directory that is specified by pathname.

Usage notes

  1. For more information about multilevel security and security labels, see z/OS Planning for Multilevel Security and the Common Criteria.
  2. chlabel will not set the security label for a symbolic link, or for the file to which it points, unless either the -h or -L option is specified. If neither option is specified, chlabel prints a warning, continues to the next file and exits with a nonzero status.
  3. chlabel is typically run to set up security labels on file systems before multilevel security is activated.
  4. Only the zFS file system supports the setting of security labels.
  5. The SECLABEL class must be active before the chlabel command will set a security label. If the SECLABEL class is not active, security labels will not be set.

Exit values

0
Successful completion.
1
Failure due to any of the following reasons:
  • The user does not have RACF SPECIAL authority.
  • The user specified a security label with more than 8 characters.
  • The file system does not support setting security labels.
  • The RACF SECLABEL class is not active.
2
Command syntax error.
3
One or more warnings occurred, due to any of the following reasons:
  • The path name already has a security label assigned.
  • A symbolic link was encountered, but neither -h nor -L was specified.
  • Device boundary not crossed.

Examples

  1. To set the security label TOPSEC for file secret_file: 
    chlabel  TOPSEC  secret_file
  2. To set the security label SYSLOW for a symbolic link mylink: 
    chlabel  -h SYSLOW mylink
  3. To set the security label l SYSLOW for the file to which the symbolic link mylink points: 
    chlabel  -L SYSLOW mylink
  4. To recursively set the security label SYSHIGH for all files, symbolic links, and subdirectories under the directory Team: 
    chlabel -Rh SYSHIGH  Team