5.8.2. Changing the Default Context
As mentioned in Section 5.7, “The
file_t
and default_t
Types”, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the file_t
type. If it is desirable to use a different default context, mount the file system with the defcontext
option.
The following example mounts a newly-created file system (on
/dev/sda2
) to the newly-created /test/
directory. It assumes that there are no rules in /etc/selinux/targeted/contexts/files/
that define a context for the /test/
directory:
~]# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
In this example:
- the
defcontext
option defines thatsystem_u:object_r:samba_share_t:s0
is "the default security context for unlabeled files"[9]. - when mounted, the root directory (
/test/
) of the file system is treated as if it is labeled with the context specified bydefcontext
(this label is not stored on disk). This affects the labeling for files created under/test/
: new files inherit thesamba_share_t
type, and these labels are stored on disk. - files created under
/test/
while the file system was mounted with adefcontext
option retain their labels.
[9]
Morris, James. "Filesystem Labeling in SELinux". Published 1 October 2004. Accessed 14 October 2008: http://www.linuxjournal.com/article/7426.