5.8.2. Changing the Default Context
As mentioned in Section 5.7, “The
default_tTypes”, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the
file_ttype. If it is desirable to use a different default context, mount the file system with the
The following example mounts a newly-created file system (on
/dev/sda2) to the newly-created
/test/directory. It assumes that there are no rules in
/etc/selinux/targeted/contexts/files/that define a context for the
mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
In this example:
defcontextoption defines that
system_u:object_r:samba_share_t:s0is "the default security context for unlabeled files".
- when mounted, the root directory (
/test/) of the file system is treated as if it is labeled with the context specified by
defcontext(this label is not stored on disk). This affects the labeling for files created under
/test/: new files inherit the
samba_share_ttype, and these labels are stored on disk.
- files created under
/test/while the file system was mounted with a
defcontextoption retain their labels.