MLWRITE Subcommand

When MLS is active on a system, the MLWRITE subcommand can be issued by an authorized user to override global write-down protection. Global write-down protection prevents writing data from a higher to a lower security level.
acf2src
When MLS is active on a system, the MLWRITE subcommand can be issued by an authorized user to override global write-down protection. Global write-down protection prevents writing data from a higher to a lower security level. The MLWRITE subcommand overrides global write-down protection by setting, resetting, or querying the write-down mode for a user address space. A user requires read access to the IRR.WRITEDOWN.BYUSER resource in the FACILITY class to issue the MLWRITE subcommand.
MLWRITE STATUS|ENABLE|DISABLE|RESET
  • STATUS
    Displays the status of the write-down mode during the user's current session.
  • ENABLE
    Specifies that a user's write-down mode be turned on. Displays the status of the user's ability to write-down.
  • DISABLE
    Specifies that a user's write-down mode be turned off.
  • RESET
    Specifies that a user's write-down mode be reset to what the user entered the system.
Example: Change global write-down authority
Your system is defined to prevent writing data globally from a higher to a lower security label. As a security administrator, you have the authority to overwrite the global setting by giving users write-down authority.
  1. Give M1USER access to issue the write-down command:
    SET RESOURCE(FAC) COMPILE * $KEY(IRR) TYPE(FAC) WRITEDOWN.BYUSER UID(*****M1USER) SERVICE(
    READ
    ) ALLOW WRITEDOWN.BYUSER UID(*****M1USER) SERVICE(
    UPDATE
    ) ALLOW STORE
    In this example, you created a resource rule for the IRR.WRITEDOWN.BYUSER resource in the FACILITY class. The resource rule gives M1USER read and update access to issue the write-down the command.
  2. Rebuild the Infostorage directory to activate the authorization:
    F ACF2,REBUILD(FAC),C(R)
  3. Make the FACILITY class resource rule resident on the system:
    CHANGE,INFODIR TYPE(R-RFAC) F ACF2,REFRESH(INFODIR)
  4. Verify that M1USER can activate write-down from themselves:
    MLWRITE ENABLE ACF60500 WRITE-DOWN FOR USER M1USER IS:
    ENABLED
    In this example, a message appears stating that write-down for M1USER is enabled.
  5. Reset write-down when access is no longer needed:
    MLWRITE RESET ACF60500 WRITE-DOWN FOR USER M1USER IS:
    DISABLED
    User M1USER can no longer issue the write-down command.