Show Table of Contents
5.8.2. Changing the Default Context
As mentioned in Section 5.7, “The
file_t and default_t Types”, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the file_t type. If it is desirable to use a different default context, mount the file system with the defcontext option.
The following example mounts a newly-created file system (on
/dev/sda2) to the newly-created /test/ directory. It assumes that there are no rules in /etc/selinux/targeted/contexts/files/ that define a context for the /test/ directory:
~]# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
In this example:
- the
defcontextoption defines thatsystem_u:object_r:samba_share_t:s0is "the default security context for unlabeled files"[9]. - when mounted, the root directory (
/test/) of the file system is treated as if it is labeled with the context specified bydefcontext(this label is not stored on disk). This affects the labeling for files created under/test/: new files inherit thesamba_share_ttype, and these labels are stored on disk. - files created under
/test/while the file system was mounted with adefcontextoption retain their labels.
[9]
Morris, James. "Filesystem Labeling in SELinux". Published 1 October 2004. Accessed 14 October 2008: http://www.linuxjournal.com/article/7426.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.