As mentioned in Section 5.7, “The
, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the
type. If it is desirable to use a different default context, mount the file system with the
The following example mounts a newly-created file system (on
/dev/sda2) to the newly-created
/test/ directory. It assumes that there are no rules in
/etc/selinux/targeted/contexts/files/ that define a context for the
mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
In this example:
defcontext option defines that
system_u:object_r:samba_share_t:s0 is "the default security context for unlabeled files".
when mounted, the root directory (
/test/) of the file system is treated as if it is labeled with the context specified by
defcontext (this label is not stored on disk). This affects the labeling for files created under
/test/: new files inherit the
samba_share_t type, and these labels are stored on disk.
files created under
/test/ while the file system was mounted with a
defcontext option retain their labels.