4.9. Mounting File Systems
mount -o contextcommand to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The
mount -o contextcommand can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS volumes. The context specified with the
contextoption is not written to disk: the original contexts are preserved, and are seen when mounting without
contextif the file system had extended attributes in the first place.
4.9.1. Context Mounts
mount -o context=SELinux_user:role:type:levelcommand when mounting the required file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the
nfs_ttype. Without additional mount options, this may prevent sharing NFS volumes using other services, such as the Apache HTTP Server. The following example mounts an NFS volume so that it can be shared using the Apache HTTP Server:
mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0"
-o context. However, since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the required context. For information about making context mount persistent, see Section 4.9.5, “Making Context Mounts Persistent”.
-o context, use the SELinux
object_rrole, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the
contextoption, context changes by users and processes are prohibited. For example, running the
chconcommand on a file system mounted with a
contextoption results in a
Operation not supportederror.
4.9.2. Changing the Default Context
file_ttype. If it is desirable to use a different default context, mount the file system with the
/dev/sda2to the newly-created
test/directory. It assumes that there are no rules in
/etc/selinux/targeted/contexts/files/that define a context for the
mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
defcontextoption defines that
system_u:object_r:samba_share_t:s0is "the default security context for unlabeled files".
- when mounted, the root directory (
test/) of the file system is treated as if it is labeled with the context specified by
defcontext(this label is not stored on disk). This affects the labeling for files created under
test/: new files inherit the
samba_share_ttype, and these labels are stored on disk.
- files created under
test/while the file system was mounted with a
defcontextoption retain their labels.
4.9.3. Mounting an NFS Volume
nfs_ttype. Depending on policy configuration, services, such as Apache HTTP Server and MariaDB, may not be able to read files labeled with the
nfs_ttype. This may prevent file systems labeled with this type from being mounted and then read or exported by other services.
contextoption when mounting to override the
nfs_ttype. Use the following context option to mount NFS volumes so that they can be shared using the Apache HTTP Server:
mount server:/export /local/mount/point -o context="system_u:object_r:httpd_sys_content_t:s0"
contextoptions, Booleans can be enabled to allow services access to file systems labeled with the
nfs_ttype. See Part II, “Managing Confined Services” for instructions on configuring Booleans to allow services access to the
4.9.4. Multiple NFS Mounts
export/, which has two subdirectories,
database/. The following commands attempt two mounts from a single NFS export, and try to override the context for each one:
mount server:/export/web /local/web -o context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/database /local/database -o context="system_u:object_r:mysqld_db_t:s0"
kernel: SELinux: mount invalid. Same superblock, different security settings for (dev 0:15, type nfs)
-o nosharecache,contextoptions. The following example mounts multiple mounts from a single NFS export, with a different context for each mount (allowing a single service access to each one):
mount server:/export/web /local/web -o nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
mount server:/export/database /local/database -o \ nosharecache,context="system_u:object_r:mysqld_db_t:s0"
server:/export/webis mounted locally to the
/local/web/directory, with all files being labeled with the
httpd_sys_content_ttype, allowing Apache HTTP Server access.
server:/export/databaseis mounted locally to
/local/database/, with all files being labeled with the
mysqld_db_ttype, allowing MariaDB access. These type changes are not written to disk.
nosharecacheoptions allows you to mount the same subdirectory of an export multiple times with different contexts, for example, mounting
/export/web/multiple times. Do not mount the same subdirectory from an export multiple times with different contexts, as this creates an overlapping mount, where files are accessible under two different contexts.
4.9.5. Making Context Mounts Persistent
/etc/fstabfile or an automounter map, and use the required context as a mount option. The following example adds an entry to
/etc/fstabfor an NFS context mount:
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0