5.8. Mounting File Systems
By default, when a file system that supports extended attributes is mounted, the security context for each file is obtained from the security.selinux extended attribute of the file. Files in file systems that do not support extended attributes are assigned a single, default security context from the policy configuration, based on file system type.
Use the
mount -o context
command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The mount -o context
command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS volumes. The context specified with the context
is not written to disk: the original contexts are preserved, and are seen when mounting without a context
option (if the file system had extended attributes in the first place).
For further information about file system labeling, refer to James Morris's "Filesystem Labeling in SELinux" article: http://www.linuxjournal.com/article/7426.
5.8.1. Context Mounts
To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the Linux root user, use the
mount -o context=SELinux_user:role:type:level
command when mounting the desired file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the nfs_t
type. Without additional mount options, this may prevent sharing NFS volumes via other services, such as the Apache HTTP Server. The following example mounts an NFS volume so that it can be shared via the Apache HTTP Server:
~]# mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0"
Newly-created files and directories on this file system appear to have the SELinux context specified with
-o context
. However, since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, refer to the Section 5.8.5, “Making Context Mounts Persistent”.
Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with
-o context
, use the SELinux system_u
user and object_r
role, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the s0
level.
Note
When a file system is mounted with a
context
option, context changes (by users and processes) are prohibited. For example, running the chcon
command on a file system mounted with a context
option results in a Operation not supported
error.