5.8. Mounting File Systems
By default, when a file system that supports extended attributes is mounted, the security context for each file is obtained from the security.selinux extended attribute of the file. Files in file systems that do not support extended attributes are assigned a single, default security context from the policy configuration, based on file system type.
mount -o contextcommand to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The
mount -o contextcommand can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS volumes. The context specified with the
contextis not written to disk: the original contexts are preserved, and are seen when mounting without a
contextoption (if the file system had extended attributes in the first place).
For further information about file system labeling, refer to James Morris's "Filesystem Labeling in SELinux" article: http://www.linuxjournal.com/article/7426.
5.8.1. Context Mounts
To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the Linux root user, use the
mount -o context=SELinux_user:role:type:levelcommand when mounting the desired file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the
nfs_ttype. Without additional mount options, this may prevent sharing NFS volumes via other services, such as the Apache HTTP Server. The following example mounts an NFS volume so that it can be shared via the Apache HTTP Server:
mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0"
Newly-created files and directories on this file system appear to have the SELinux context specified with
-o context. However, since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, refer to the Section 5.8.5, “Making Context Mounts Persistent”.
Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with
-o context, use the SELinux
object_rrole, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the
When a file system is mounted with a
contextoption, context changes (by users and processes) are prohibited. For example, running the
chconcommand on a file system mounted with a
contextoption results in a
Operation not supportederror.