The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
By default, mounted NFS volumes on the client side are labeled with a default context defined by policy for NFS. In common policies, this default context uses the
nfs_t type. The root user is able to override the default type using the
mount -context option. The following types are used with NFS. Different types allow you to configure flexible access:
This type is used for existing and new files copied to or created in the
/var/lib/nfs/ directory. This type should not need to be changed in normal operation. To restore changes to the default settings, run the
restorecon -R -v /var/lib/nfs command as the root user.
/usr/sbin/rpc.nfsd file is labeled with the
nfsd_exec_t, as are other system executables and libraries related to NFS. Users should not label any files with this type.
nfsd_exec_t will transition to